Skip to main content

Incident Response Policy

Effective: 21 April 2026|
v1.0
Download PDF
Also available in:Turkish (TR)

Incident Response Policy

Effective date: 12 March 2026  |  Version: 1.0

This policy governs SummitBridge Horizon Ltd's response to security incidents, aligned with ISO 27035 (incident management) and the NIS2 Directive Article 23 reporting obligations.

1. Reporting Timeline

TimelineActionRecipient
T+0Incident detected, triaged, and classified internallyIR team / Director
T+1 hourP1/P2 customer notification with known facts, impact summary, and next stepsAffected customers
T+24 hoursEarly warning for significant incidents (NIS2 Art. 23(1)(a))NCSC / relevant EU-CERT / CSIRT
T+72 hoursFull incident notification including impact assessment, IoCs, and affected data categoriesICO (if personal data breach) + CSIRT + affected customers
T+30 daysFinal incident report: root cause analysis, remediation measures, recommendationsCSIRT + all affected customers

2. Incident Classification

Significant incident (NIS2 Art. 3 definition): An incident causing availability disruption affecting more than 10% of service users, OR a breach of confidentiality or integrity of systems or data that has significant impact. NIS2 reporting obligations apply.

Personal data breach (UK GDPR Art. 4(12)): Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. ICO notification required within 72 hours if the breach is likely to result in risk to individuals' rights and freedoms.

3. Incident Response Phases

  1. Preparation: Maintain IR contacts list, communication templates, and response runbooks; quarterly training exercises
  2. Detection and Analysis: Confirm the incident; classify severity; identify affected systems, data, and users; preserve evidence
  3. Containment: Isolate affected systems; revoke compromised credentials; block threat actor IPs/domains; preserve forensic state before remediation
  4. Eradication: Remove malware, close attack vectors, patch vulnerabilities; verify no persistence mechanisms remain
  5. Recovery: Restore systems from clean backups; verify integrity; conduct smoke testing; gradual return to service
  6. Post-Incident Review: Within 5 business days — root cause analysis, timeline reconstruction, lessons learned, remediation tracking

4. Evidence Preservation

Forensic copies of affected systems (disk images, memory dumps, log exports) are taken before any containment or eradication activity wherever operationally feasible. Chain of custody is documented for any evidence that may be required in regulatory or legal proceedings. Forensic evidence retained for a minimum of 12 months, or longer if proceedings are anticipated.

5. Communications Protocol

All external communications about a security incident (customers, media, regulators) require Director approval. No staff member may disclose incident details publicly without authorisation. Customer communications use pre-approved templates tailored to the specific incident. Social media statements require Director sign-off.

6. Annual IR Exercises

SummitBridge conducts: (a) a tabletop incident response exercise annually testing notification timelines and decision-making; (b) a full simulation exercise annually testing containment, recovery, and communication procedures. Exercise results are documented and used to update IR procedures.

7. Subcontractor and Sub-Processor Obligations

All sub-processors are contractually required to: notify SummitBridge of security incidents affecting Customer data within 24 hours; cooperate fully with the IR process; provide forensic evidence as requested within 48 hours.

This document is maintained by SummitBridge Horizon Ltd (Companies House: 16419201). For questions, contact [email protected].