1. Describe what a cyber security incident response plan is used for (AC 1.1)

Incident Response Plan (IRP) is a document that is used when a cyber security incident happens. IRP can either be a general guide on how to deal with any security incident or you can have several IRPs, each specific to the incident you are facing. For example, you can have an one IRP for malicious code, another for DDoS, and other for phishing, unauthorised access, insider, data breach or targeted attacks. Every good IRP should include a checklist. The checklist is there to Establish reliable facts and a way to stay informed, Mobilise a response, and to Communicate what you know. This checklist will have questions such as: "Who is reporting the problem?", "When did the breach occur?" and "Where did the breach occur?". This document should be available in physical copy, as well as digital. Just in case some of the organisations' systems are down, and you're not able to access the cloud server where the IRP document is stored. Or the email server might be down, and you need a way of informing other departments of the IRP, physical copy will solve this issue, because you can physically take the printed out document, and walk to the department, and hand it over. In simple terms, IRP is used when an organisation is under a cyber attack, the IT team can open up this plan and it will tell them what to do. The plan will "help you make good decisions under the pressure of a real incident".