Building an Incident Response Plan with CISM

Every organization believes it has an incident response plan until the night it actually needs one. Then the gaps show: no one is sure who declares an incident, the contact list is out of date, and the team improvises under pressure while the clock runs. A real incident response plan removes that improvisation by deciding in advance who does what, in what order, and how the business keeps running. This session looks at incident response the way the CISM program does, from the manager’s seat, where building and owning that plan is the job.

An incident response plan is a documented, tested set of procedures that defines how an organization detects, contains, and recovers from a security incident. CISM Domain 4 covers how a security manager builds and runs that plan.

What You’ll Learn

This session treats incident response as a management discipline, not just a technical drill. You will walk through the four phases that structure most response efforts: preparation, detection and analysis, containment along with eradication and recovery, and the post-incident activity where lessons get captured. We frame each phase the way CISM Domain 4 does, focused on the decisions a manager owns, such as who has the authority to declare an incident, when to involve legal and communications, and how response ties back to business continuity.

From there we get practical about the plan itself. You will learn what a usable incident response plan actually contains, how to define roles and escalation paths before an incident rather than during one, and how to test the plan so it holds up when it matters. The same program-level thinking runs through the CISM boot camp, where incident management sits alongside governance and risk as part of the security manager’s core responsibilities.

Who Should Attend

This session is built for security managers and the professionals stepping into those roles. It is especially useful for CISM candidates who want a clear view of Domain 4, and equally valuable for SOC leads, IT managers, risk and compliance professionals, and anyone who would be expected to coordinate the response when an incident is declared.

Exclusive Benefits for Attendees

✦ Full recording of the session for future reference

✦ Incident response plan reference guide covering all four response phases

✦ Incident response readiness checklist for security managers

✦ Live Q&A with a certified security management instructor

✦ Certificate of Attendance for your professional records

“In preparing for battle I have always found that plans are useless, but planning is indispensable.”

— Dwight D. Eisenhower

Frequently Asked Questions

What is an incident response plan?
An incident response plan is a documented, tested set of procedures that defines how an organization detects, contains, and recovers from a security incident. It assigns roles, sets the order of actions, and keeps the business running while the incident is handled.

What is CISM?
CISM, the Certified Information Security Manager, is an ISACA certification for professionals who manage and govern security programs. It focuses on the management side of security rather than hands-on technical configuration.

What does CISM Domain 4 cover?
Domain 4 of CISM covers incident management. It addresses how a security manager prepares for, detects, responds to, and recovers from security incidents, including the planning, teams, and communication that hold up under pressure.

What are the phases of incident response?
A common model breaks incident response into four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. The final phase captures lessons learned so the next response is faster.

Who should get the CISM certification?
CISM is aimed at security managers, aspiring managers, and professionals responsible for governing a security program. It suits people moving from technical roles into management who need to own risk, governance, and incident response at the program level.

What are the CISM requirements?
CISM requires five years of work experience in information security management, with some substitutions available for related certifications and education. Candidates can pass the exam first and meet the experience requirement within five years.

Ready to Take the Next Step?

Build on what you learn in this session with Training Camp’s security management certification programs, covering incident response alongside the governance and risk work that defines the manager’s role.