In the preparation phase, which is hopefully the bulk of the time, the general objectives sit in three categories: preventing attacks, training, and procurement.

Preventing attacks is the primary aim of this stage. The key stakeholders, including senior management, Computer Security Incident Response Team (CSIRT), IT support, information assurance, and the legal department must work towards the organization being as compliant as possible, and to repel attacks before they become incidents.

The CSIRT and other members of the organization must be trained for incident response. They must be comfortable with all the kit and equipment so that they are ready with all the skills needed to detect and react to an incident. During this phase, they should also be documenting and gaining an understanding of the existing infrastructure, so there is a baseline for recovery, as well as staying up-to-date with any guidance from manufacturers and service providers (for example, about updates).

If any part of the response is carried out by untrained personnel, there is a risk that evidence may be mishandled (and hence lose its integrity), or that important information is missed. Either of these outcomes might hamper efforts to hold the perpetrators responsible, or even to fully remedy the situation (for example, if a component of the attack is not fully removed).

The preparation phase is also where the organization purchases and maintains the kit and equipment required for prevention, detection, and response.