Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Business Continuity & Disaster Recovery · Download

Incident Response Checklist

A checklist organized by incident response phase — Detection, Containment, Eradication, Recovery, and Post-Incident Review.

IT KORR Knowledge Center

Incident Response Checklist

A checklist organized by incident response phase — Detection, Containment, Eradication, Recovery, and Post-Incident Review.

Detection

  • Confirm the incident is real and not a false positive before escalating further.
  • Determine the scope and affected systems — what is confirmed impacted vs. what is still unknown.
  • Record the time the incident was first detected and by what means (alert, report, monitoring).
  • Notify the incident response lead and activate the incident response plan.

Containment

  • Isolate affected systems from the network to prevent further spread, without powering them off if evidence preservation is needed.
  • Preserve evidence (logs, memory captures, disk images) before remediation actions overwrite it.
  • Disable compromised credentials or accounts identified during the initial assessment.
  • Implement short-term containment measures (e.g., firewall rules, network segmentation) distinct from long-term fixes.

Eradication

  • Identify and remove the root cause (malware, unauthorized access, vulnerability) from affected systems.
  • Patch or reconfigure the vulnerability that allowed the incident, not just the immediate symptom.
  • Reset credentials for all accounts confirmed or suspected to be compromised.
  • Scan related and connected systems for signs of lateral movement before considering eradication complete.

Recovery

  • Restore affected systems from known-clean backups, not from potentially compromised current state.
  • Verify no reinfection or residual compromise before reconnecting systems to production.
  • Monitor restored systems closely for a defined period following reconnection.
  • Confirm business functions are operating normally before formally closing the recovery phase.

Post-Incident Review

  • Document a full timeline of the incident: detection, containment, eradication, and recovery.
  • Identify what worked, what did not, and specific gaps in tooling, process, or training.
  • Assign owners and target dates for remediation of identified gaps.
  • Update the incident response plan and related runbooks based on lessons learned.

Related Resources

  • Ransomware Recovery Planning — /knowledge-center/business-continuity/business-continuity-disaster-recovery/ransomware-recovery-planning
  • Disaster Recovery Planning — /knowledge-center/business-continuity/business-continuity-disaster-recovery/disaster-recovery-planning

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Business Continuity & Disaster Recovery Hub for the reasoning behind each recommendation.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT