Incident Response Planning for Canadian Businesses — Baseline Control BC.1

What Incident Response Planning Means

An incident response plan (IRP) is a documented set of procedures your organization follows when a cybersecurity event occurs — whether that is a ransomware infection, a data breach, a phishing compromise, or unauthorized access to your systems. The Canadian Centre for Cyber Security (CCCS) designates incident response planning as BC.1, the first of its 13 Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089). This is not a coincidence: having a plan in place before an incident happens is foundational to every other security measure your organization implements.

This page summarizes what the CCCS recommends for incident response. It is educational content based on publicly available government guidance and is not professional cybersecurity advice. For your specific situation, consult a qualified professional. You can also take our free assessment to evaluate how your organization measures up across all 13 controls.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that every small and medium organization develop and maintain an incident response plan. The plan should be documented, regularly tested, and known to all relevant personnel. The CCCS also publishes supplementary guidance in ITSAP.40.003 (Developing Your Incident Response Plan), which provides more detailed direction.

According to the CCCS guidance, an incident response plan should include:

• Defined roles and responsibilities — Identify who is in charge of coordinating the response, who communicates with stakeholders, who handles technical containment, and who manages legal and regulatory obligations.
• Contact lists — Maintain up-to-date contact information for your internal response team, your IT service providers, the Canadian Centre for Cyber Security, law enforcement, legal counsel, and your insurance provider.
• Classification criteria — Define what constitutes a cybersecurity incident versus a routine IT issue, and establish severity levels so your team can prioritize appropriately.
• Containment and eradication procedures — Document the steps to isolate affected systems, preserve evidence, remove the threat, and restore normal operations.
• Communication procedures — Outline how and when you will communicate with employees, customers, regulators, and the public during and after an incident.
• Recovery steps — Define how you will restore systems and data from backups, verify system integrity, and return to normal business operations.
• Post-incident review — After resolving an incident, conduct a lessons-learned review to identify what worked, what did not, and what changes to make to your plan.

ITSAP.40.003: Developing Your Incident Response Plan

The CCCS publication ITSAP.40.003 provides additional guidance on building an IRP. It emphasizes that the plan should be a living document — reviewed and updated regularly, not created once and forgotten. It also recommends that organizations practice their plans through tabletop exercises, where team members walk through a hypothetical incident scenario to identify gaps and improve coordination.

The CyberSecure Canada IRP Template

The CyberSecure Canada certification program, administered by Innovation, Science and Economic Development Canada (ISED), provides a structured framework that aligns with the CCCS Baseline Controls. As part of this program, ISED publishes a fillable incident response plan template — a downloadable Word document with section-by-section instructions. The template covers:

• Purpose statement — Why the plan exists and what it applies to
• Definitions — Key terms including indicators of compromise (IOCs), maximum tolerable downtime, and incident classification
• Cyber Security Incident Response Team (CSIRT) — Roles, responsibilities, and contact information
• Incident severity matrix — How to classify incidents by impact level
• Response phases — Detailed procedures for each stage of the response
• Document control — Version history and review schedule
• Testing plan — How and when the plan will be exercised

This template was designed specifically to help small and medium organizations meet the CyberSecure Canada certification requirements, but it is freely available and useful regardless of whether certification is being pursued. For a detailed walkthrough of how to use this template and build your plan step by step, see our guide: Building an Incident Response Plan for Your Canadian Business.

Why This Matters for Canadian Businesses

For Canadian small and medium businesses, incident response planning is not just a technical exercise — it has legal and regulatory dimensions. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations that experience a breach of security safeguards involving personal information are required to:

• Report the breach to the Office of the Privacy Commissioner of Canada (OPC) if it creates a real risk of significant harm to individuals.
• Notify affected individuals as soon as feasible after determining that a reportable breach has occurred.
• Keep records of all breaches of security safeguards, regardless of whether they meet the reporting threshold, for at least 24 months.

Without a pre-established incident response plan, organizations often struggle to meet these obligations within the required timelines. Delayed or inadequate breach notification can result in regulatory penalties and reputational damage.

Provincial privacy legislation — such as Alberta's PIPA and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) — may impose additional breach notification requirements depending on where your organization operates and where the affected individuals reside.

The Cost of Being Unprepared

Organizations without an incident response plan typically take longer to detect and contain breaches. Longer containment times generally translate to greater financial losses, more extensive data exposure, and more difficult recovery. Having a plan does not prevent incidents from happening, but it significantly improves how effectively your organization responds when they do.

How to Get Started

Building an incident response plan does not require a large budget or a dedicated security team. Here are practical steps for Canadian SMBs:

• Start with the CCCS guidance. Read the Baseline Controls document (ITSM.10.089) and the incident response planning guide (ITSAP.40.003), both available free on the CCCS website.
• Assign an incident response lead. Designate one person as the primary coordinator. In a small business, this might be the owner, a manager, or your most technically capable employee. The key is that someone is clearly responsible.
• Build your contact list. Compile emergency contacts including your IT provider, internet service provider, the CCCS (for reporting), local law enforcement, your legal counsel, and your cyber insurance provider if applicable.
• Document your critical assets. Identify which systems, data, and services are most important to your business operations. This helps you prioritize during an incident.
• Write down basic procedures. Even a one- or two-page document that describes what to do first, whom to call, and how to isolate an affected system is far better than nothing.
• Train your staff. Ensure all employees know the plan exists, know who to contact, and understand their role. Consider pairing this with security awareness training (BC.6).
• Test the plan annually. Run a tabletop exercise at least once per year. Pick a realistic scenario — such as a ransomware attack or a phishing-related data breach — and walk through your response steps.
• Review and update. After each test or real incident, update the plan to reflect lessons learned. Also update it whenever your IT environment changes significantly.

For a more comprehensive walkthrough covering the full incident response lifecycle, government resources, PIPEDA obligations, and testing strategies, read our detailed guide: Building an Incident Response Plan for Your Canadian Business.

To see how your organization currently measures up on incident response and the other 12 baseline controls, take the free assessment.

Common Mistakes to Avoid

Based on the CCCS guidance and common observations in the Canadian SMB landscape, here are frequent mistakes organizations make with incident response planning:

• Not having a plan at all. Many small businesses assume they are too small to be targeted. The CCCS baseline controls exist precisely because organizations of all sizes face cyber threats.
• Creating a plan but never testing it. An untested plan is unreliable. Tabletop exercises reveal gaps in coordination, outdated contact information, and unclear procedures that look fine on paper but fail in practice.
• Keeping the plan in only one location. If your incident response plan is stored only on a server that gets encrypted by ransomware, you will not be able to access it when you need it most. Keep copies in multiple locations, including offline and printed copies.
• Forgetting about legal obligations. Many organizations focus exclusively on the technical response and overlook PIPEDA's breach notification requirements. Include legal and regulatory steps in your plan from the start.
• Not including non-technical staff. An incident response plan is not just for IT. It involves management, communications, legal, and potentially HR. All relevant parties should know their responsibilities.
• Failing to update the plan. Personnel change, systems change, and contact details change. A plan written three years ago with outdated information will cause confusion during a real incident.

Frequently Asked Questions

See below for answers to common questions about incident response planning for Canadian businesses. For a comprehensive evaluation, take our free cybersecurity assessment.