Incident Response Policy - SME

The Incident Response Policy (P30S) is purpose-built for small and medium-sized enterprises (SMEs) seeking robust, ISO/IEC 27001:2022-compliant protocols without requiring an internal security operations center or a full-time CISO. This SME policy explicitly attributes accountability for incident oversight and regulatory notifications to the General Manager (GM), providing a clear structure appropriate for organizations with limited dedicated IT resources. The document details requirements that allow SMEs to minimize damage, protect sensitive information, and fulfill critical regulatory obligations, such as the GDPR 72-hour breach notification rule. Scope is broad and covers all personnel (employees, contractors, external IT service providers), all technical assets (websites, cloud platforms, email accounts, and mobile devices), and every significant form of incident (from unauthorized access to malware infection, phishing, system outages, and loss/theft of devices). The policy establishes detailed objectives: swift recognition, logging, escalation, legal notification, effective containment, data recovery, and root-cause-based prevention. It also supports SMEs in passing ISO/IEC 27001 audits and demonstrating due accountability to clients and regulators. Specific roles and responsibilities are simplified to adapt to the SME context: The GM retains overall accountability, supported by either internal or outsourced IT administration. Staff and contractors are instructed to report any incident immediately without attempting unauthorized fixes. External vendors are obliged to notify the GM and support containment actions as per contractual obligations, subject to the same escalation timelines as internal incidents. The policy sets forth structured reporting procedures, including clear communication channels (dedicated incident email or verbal report), required details (discovery time, nature, affected systems, and observable impact), and categorization within one hour. Incident logs, maintained by the GM, are at the heart of recordkeeping for audits. Quarterly reviews, root cause analyses, and post-incident updates ensure both ongoing effectiveness and responsiveness to emerging threats. The document also details training and awareness requirements for all staff, onboarding, refresher sessions, and mandatory reporting expectations. Enforcement provisions mandate that all entities, including third parties, comply fully: failures or protocol violations may result in warnings, revocation, contractual penalties, or removal from vendor lists. All evidence and logs must be retained for at least one year and provided for audits as required. Comprehensive review mechanisms ensure the policy remains aligned to evolving standards, regulatory changes, and operational shifts, remaining responsive and relevant for SMEs.