First-Hour Incident Checklist + Communications Template
A practical first-hour playbook for small organisations: contain, preserve, decide, and communicate with less chaos.
Security Incident Response Continuity Ops
Goal
Reduce decision delay in the first hour of an incident by defining the first actions, key roles, and basic communications flow in advance.
1) First-hour checklist
- Contain: isolate affected accounts, devices, or systems if that is safe to do.
- Preserve: keep evidence before wiping, rebuilding, or making major changes.
- Decide: confirm who leads, who approves, and what the immediate recovery priority is.
- Communicate: use one owner for facts and messages.
- Record: note what happened, what was done, and what still needs deciding.
2) Roles to pre-assign
| Role | Name / owner | What they decide / do |
|---|
| Incident lead | | Owns the operational response and next actions. |
| Business approver | | Approves material actions and business-impact decisions. |
| Technical responder | | Runs containment, investigation, and recovery tasks. |
| Comms owner | | Controls internal and external messaging. |
3) Internal communications template
Subject: [Incident update] [System / issue] - initial note
What we know:
• [Short factual summary]
What we are doing now:
• [Containment / investigation / recovery steps]
What staff should do:
• [Pause action / avoid clicking / use backup process / contact point]
Next update:
• [Time / trigger for next communication]
4) Questions to ask during the first hour
- What is affected and what is not affected?
- What is the business impact if we do nothing for the next 30 minutes?
- What evidence must we preserve before making bigger changes?
- Who decides the recovery order?
- What do staff/customers/vendors need to know right now, if anything?
5) Common gotchas
- Multiple people messaging in parallel with different facts.
- Accounts/devices rebuilt before evidence is captured.
- Recovery order debated mid-incident instead of pre-decided.
- No current contact list for key people/providers.
Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.
👉 Free 30-minute consultation
No hard sell - just clarity and practical next steps.
hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)
Book now