The basis and plan must be developed as they are the main resource for the process. The plan will encompass support for incident response and will have been developed formally, specifying the high level details of how to initiate incident response, provide contacts, and if third parties are to be involved, the process to involve them. The plan will also include the team roles and responsibilities along with communication protocols and the response times outlined for the levels of severity. Another item that may be important to have in the plan and process is escalation levels. These can be assigned to various severity incidents to ensure that only the contacts that need to be engaged are engaged and at the right time in the response process. Each team involved in incident response should know what the plan is and what is expected of each member.

A process can be written to illustrate the flow of an incident and should be provided as documentation to the support teams, especially the team managing the incident ticket. The process must have a logical flow and be simple enough to follow, allowing each team to reference their incident procedures, when necessary, for a more detailed understanding of what is to be done and when. The process flow can be further noted with references to other documents providing the incident response team the necessary information to successfully perform incident response in accordance to the agreed process and plan. A process for incident response may look similar to the one provided in Appendix E, Security Incident Response Resources, and can be customized to the enterprise.