When It Applies

Not For

• Replacing incident-response advice, cyber-forensics, notification decisions, insurance advice, or legal advice about a specific breach.

Documents

• Incident timeline
• System logs
• Screenshots
• Data-type list
• Affected-person estimate
• POPIA policy
• Operator agreements
• Vendor notices
• Insurance policy
• Notification drafts
• Question list

Timeline

• Immediately: contain the incident and preserve evidence.
• Before consultation: identify data types, affected people, vendors, and decision-makers.
• During consultation: confirm notification and remediation route.
• Afterwards: maintain an incident log and save notices.

Tips

• Keep a decision log from the first day.
• Separate confirmed facts from assumptions.
• Do not delete logs or tickets casually.
• Coordinate legal, IT, insurer, and communications steps.

Warning Signs

• ID numbers, financial data, health data, children data, employee files, legal files, passwords, or large datasets may be involved.
• A vendor or attacker is involved.
• The incident is public or customers are asking questions.
• There is no information officer or incident owner identified.