An incident response plan is
|“||[a] set of predetermined and documented procedures to detect and respond to a cyber incident.||”|
|“||[t]he documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s).||”|
The response should be measured first and foremost against the "service being provided," not just the system that was compromised. If an incident is discovered, there should be a quick risk assessment performed to evaluate the effect of both the attack and the options to respond. For example, one possible response option is to physically isolate the system under attack. However, this may have such a dire impact on the service that it is dismissed as not viable.