25 June 2026·10 min read·guides

Incident Response Plan for Indian SMBs: A Step-by-Step Playbook

Build an incident response plan for Indian SMBs meeting CERT-In's 6-hour mandate — with first-hour checklist, RACI, DPDP obligations, and NIST 800-61 phases.

Bachao.AI Research Team

Cybersecurity Research

Know your vulnerabilities before attackers do

Free scan · No credit card required

Get Your Free VAPT Scan

What this means for your business

Indian SMBs without documented security controls face 3× higher breach costs. This guide helps you close that gap.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

An incident response plan (IRP) tells every person in your organisation exactly what to do in the first minutes of a cyberattack — before panic sets in. Without one, Indian SMBs lose days recovering instead of hours. Under CERT-In's 2022 directions, certain cyber incidents must be reported within six hours of detection. Miss that window and you compound the breach with a compliance violation. This playbook walks you through the six NIST SP 800-61 phases, India-specific legal obligations, the roles and responsibilities every team needs, and a first-hour checklist for ransomware and data breaches.

🚨

DANGER

CERT-In's April 2022 directions mandate that service providers, intermediaries, data centres, and government bodies report qualifying cyber incidents to CERT-In within 6 hours of becoming aware of them. This is not aspirational guidance — it is a legal obligation. Source: cert-in.org.in

Why Most Indian SMBs Have No Written IR Plan

The gap is not ignorance — it is prioritisation. When a founding team is racing to hit revenue targets, a 20-page incident response procedure feels like a luxury. Then ransomware encrypts the NAS at 2 a.m. and the team discovers they have no offline backup, no contact tree, and no designated incident commander.

A few hours' delay in containment enables lateral movement, PII exfiltration, and propagation to cloud-synced drives. Forensic evidence gets overwritten. The CERT-In 6-hour clock is already ticking.

35%YoY rise in cyber incidents reported to CERT-In (CERT-In Annual Report 2023)

73%Indian organisations with no formal incident response plan (DSCI Cybersecurity Outlook 2024)

258 daysAverage time to identify and contain a data breach globally (IBM Cost of a Data Breach Report 2024)

The 258-day IBM figure is the global average including large enterprises with dedicated SOC teams. For an Indian SMB with no playbook, the exposure window is typically far longer.

The Six Phases of Incident Response (NIST SP 800-61)

NIST Special Publication 800-61 ("Computer Security Incident Handling Guide") and the SANS PICERL framework both converge on six phases. The full NIST guide is available at nist.gov. Each phase has a hard deliverable — not just an activity.

graph TD
    A[Preparation
Assets · Runbooks · Training] --> B[Identification
Detect · Classify · Declare]
    B --> C[Containment
Isolate · Preserve evidence]
    C --> D[Eradication
Remove malware · Patch root cause]
    D --> E[Recovery
Restore · Verify · Monitor]
    E --> F[Lessons Learned
Post-incident report · Update runbooks]
    F -->|Continuous improvement| A
    B -->|Qualifying incident?| G[Report to CERT-In
Within 6 hours of awareness]
    B -->|Personal data breach?| H[Notify Data Protection Board
Under DPDP Act 2023]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

Phase 1 — Preparation

Preparation is everything you do before an incident occurs. It is the only phase that runs continuously and feeds every other phase. Key deliverables: asset inventory, contact tree with personal mobile numbers, offline credentials, pre-approved authority for the incident commander to isolate systems without board approval, and at least one tabletop exercise per year.

Phase 2 — Identification

Detection is not the same as identification. An alert fires — a failed login spike, an EDR quarantine, a customer complaint about receiving unknown emails from your domain. Identification means determining whether this is a real incident, classifying its type and severity, and formally declaring an incident so the clock-driven response kicks in.

The CERT-In 6-hour window starts at "awareness," which in practice means the moment your team receives credible evidence of a qualifying incident. Document the exact timestamp.

Phase 3 — Containment

Containment has two sub-phases: short-term (stop the bleeding immediately — disconnect affected hosts from the network, revoke compromised credentials, block malicious IPs at the perimeter) and long-term (implement compensating controls that are stable enough to allow the business to operate while eradication is underway).

Critical rule: do not wipe or re-image systems before taking a forensic snapshot. Regulators and cyber insurers both require evidence preservation.

Phase 4 — Eradication

Remove every trace of the adversary: malware binaries, persistence mechanisms (scheduled tasks, registry run keys, rogue admin accounts, web shells), and the exploited vulnerability. Patching before the root cause is fully understood means eradication is incomplete.

Phase 5 — Recovery

Restore affected systems to production with enhanced monitoring in place. Do not rush — ransomware groups frequently leave a secondary backdoor that activates after the victim believes they have recovered. Verify restored data against known-good backups and expand logging verbosity for at least 30 days post-recovery.

Phase 6 — Lessons Learned

Within two weeks of closure, hold a post-incident review. Produce a written report: timeline, what worked, what failed, root cause, and specific changes to runbooks and controls. This document doubles as your evidence record for CERT-In and insurers.

India-Specific Legal Obligations

CERT-In 6-Hour Reporting

Under CERT-In's April 2022 directions, Internet Service Providers, intermediaries, data centres, body corporates, and government organisations must report qualifying cyber incidents within 6 hours of noticing them. Qualifying incidents include: targeted scanning, compromised critical systems, unauthorised access, data breaches, identity theft, denial of service, and attacks on critical information infrastructure. Report via cert-in.org.in or email incident@cert-in.org.in.

⚠️

WARNING

The 6-hour clock starts from the moment you become aware of the incident — not from when you finish your investigation. Filing late, even by a few hours, exposes the organisation to regulatory action. Designate one person as the CERT-In filing lead before an incident happens.

DPDP Act 2023 — Breach Notification to the Data Protection Board

India's Digital Personal Data Protection Act 2023 requires Data Fiduciaries (any entity processing personal data) to notify the Data Protection Board of India of a personal data breach, regardless of fault. Penalties for failure to safeguard personal data are significant. Your IR plan must include a legal lead whose first task on a breach declaration is to assess whether personal data was involved and trigger the DPDP notification process. See our DPDP compliance guide for the full obligations.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Roles, Responsibilities, and RACI

Every IR plan needs named humans, not job titles. Job titles change. Mobile numbers do not.

Role	Responsible	Accountable	Consulted	Informed
Incident Commander	Designated Lead	CTO / Founder	Legal, CISO	All hands
Technical Lead	Sr. Engineer / DevOps	Incident Commander	Vendor / MSP	Incident Commander
Communications Lead	PR / Founder	Incident Commander	Legal	Customers, regulators
Legal Lead	In-house / Retainer	Founder	CERT-In filing lead	Board
CERT-In Filing Lead	Compliance / IT	Incident Commander	Legal	CERT-In
Evidence Custodian	IT / Forensics partner	Incident Commander	Legal	Incident Commander

For solo-founder SMBs, one person will wear multiple hats. The RACI still matters because it forces you to think through every function before the incident, not during it.

💡

TIP

Engage a CERT-In empanelled partner for forensic evidence collection and the CERT-In filing. This removes the evidentiary chain-of-custody risk that arises when internal staff (who may be under suspicion) handle forensic artefacts. Start with a free VAPT scan to identify your exposure before an incident occurs.

Building the Four Artefacts Your Plan Needs

1. Asset Inventory

You cannot protect what you do not know you have. Maintain a living spreadsheet (or CMDB) with: hostname, IP, owner, OS version, data classification, last patch date, and backup status. A runbook that says "isolate the database server" is useless if no one knows its IP at 3 a.m.

2. Runbooks

A runbook is a step-by-step procedure for a specific scenario: ransomware on an endpoint, credential stuffing on the login API, web shell on the application server. Each runbook should be printable and offline-accessible — attackers sometimes cut your internet access.

3. Contact Tree

One encrypted document with an offline copy: personal mobile numbers for every team member, ISP abuse contact, cloud provider security emergency line, cyber insurer breach hotline, CERT-In filing contact, and legal retainer emergency number.

4. Tested Backups

A backup that has never been restored is a hypothesis, not a control. Run a restore drill at least quarterly and confirm the restore target is air-gapped or immutable — ransomware strains routinely encrypt network-accessible backup shares within minutes of gaining a foothold.

What to Do in the First Hour of a Ransomware or Breach

pie title Where IR Effort Typically Goes — First 72 Hours
    "Containment and isolation" : 30
    "Evidence collection and forensics" : 25
    "Eradication and clean rebuild" : 20
    "Stakeholder communication" : 15
    "Regulatory filing and legal" : 10

The pie reflects a qualitative breakdown based on practitioner experience and NIST SP 800-61 guidance — actual distribution varies by incident type and organisation size.

Minute	Action	Owner
0–5	Declare the incident. Note exact timestamp.	Incident Commander
5–15	Isolate affected hosts from the network. Do NOT power off — take a snapshot first.	Technical Lead
15–30	Revoke suspected compromised credentials. Change shared service account passwords.	Technical Lead
30–45	Notify the Incident Commander, Legal Lead, and Communications Lead. Activate the contact tree.	Incident Commander
45–60	Assess: Is personal data involved? Is this a CERT-In qualifying incident? Start the formal assessment log.	Legal Lead + CERT-In Filing Lead
60 min	CERT-In 6-hour clock is already 1 hour old. Ensure the filing lead is drafting the report.	CERT-In Filing Lead

Tabletop Exercises: Practice Before the Fire

A tabletop exercise is a structured, discussion-based simulation where the team walks through a scenario without touching production systems. Run one per quarter, rotating scenarios: ransomware, credential breach, insider threat, supply chain compromise. The goal is to discover where your plan breaks — every gap found in a tabletop is one that does not cost you six hours of CERT-In clock.

🎯Key Takeaway

An incident response plan is not a document you file and forget. It is a living system — maintained asset inventory, tested runbooks, practiced contact tree, and a team that has walked through a scenario at least once before 3 a.m. arrives. For Indian SMBs, the CERT-In 6-hour reporting mandate turns response speed into a legal obligation. Start with a one-page plan today; a complete plan next quarter beats a perfect plan never.

Putting It All Together: IR Plan Readiness Checklist

Control	Status check
Asset inventory current within 30 days	Yes / No
Incident commander designated and contactable 24x7	Yes / No
Contact tree with personal mobile numbers, offline copy	Yes / No
Runbooks for ransomware, data breach, credential compromise	Yes / No
Backups tested — restore drill completed in last 90 days	Yes / No
CERT-In reporting procedure documented, filing lead named	Yes / No
Legal retainer briefed on CERT-In + DPDP obligations	Yes / No
Tabletop exercise completed in last 12 months	Yes / No
Forensic partner identified (CERT-In empanelled)	Yes / No
Cyber insurance policy reviewed for breach notification clauses	Yes / No

A clean score on this checklist does not mean you will not be breached. It means you will survive the breach.

Dhisattva AI Pvt Ltd built this guide as part of the broader security awareness mission behind Bachao.AI. For a technical view of where your attack surface currently stands, start with a free VAPT scan — vulnerabilities found before an attacker does are vulnerabilities that never become incidents.

Frequently Asked Questions

What is the CERT-In 6-hour incident reporting rule?

CERT-In's April 2022 directions require designated entities — including service providers, intermediaries, data centres, and body corporates — to report qualifying cyber incidents to CERT-In within 6 hours of becoming aware of them. The report must be filed via the CERT-In portal or by email to incident@cert-in.org.in. Failure to comply exposes the organisation to regulatory action under the IT Act.

Does the CERT-In 6-hour rule apply to small businesses?

The formal obligation targets service providers, intermediaries, data centres, and government bodies. Any organisation processing data or providing digital services that qualifies as a "body corporate" under the IT Act should treat the mandate as applicable. When in doubt, file — non-reporting is viewed more seriously than an imperfect report filed on time.

What is the difference between CERT-In reporting and DPDP breach notification?

CERT-In reporting is a cyber incident obligation under the IT Act — it covers a broad range of security events including attacks, scanning, and unauthorised access, even where personal data may not be involved. DPDP breach notification under the Digital Personal Data Protection Act 2023 is triggered specifically when personal data of individuals is breached and must be filed with the Data Protection Board of India. A single ransomware event may trigger both obligations simultaneously.

What should be in a first-hour incident response checklist?

Declare the incident with a timestamped log, isolate affected systems without powering them off (take a snapshot first), revoke compromised credentials, notify the core team via the contact tree, assess CERT-In and DPDP notification obligations, and start drafting the CERT-In report. Evidence preservation before re-imaging is critical.

How often should an Indian SMB run a tabletop exercise?

NIST SP 800-61 recommends periodic testing of the incident response plan. For most SMBs, one tabletop per quarter across rotating scenarios (ransomware, credential breach, insider threat, supply chain) is practical and sufficient. The first exercise typically reveals the most gaps — an untested contact tree, a missing backup for a critical system, or ambiguity about who has authority to isolate production.

Do we need a forensics partner or can internal IT handle it?

For straightforward incidents (a phishing click with no confirmed lateral movement), internal IT may be sufficient for initial containment. For any incident involving suspected data exfiltration, ransomware, or legal/regulatory exposure, engage a CERT-In empanelled forensics partner. Internal staff handling forensic artefacts can create chain-of-custody problems that undermine insurance claims and regulatory filings.