Free · Email-gated · South Africa

Free Cybersecurity Incident
Response Plan

An internal plan template aligned with POPIA s 22 and the Cybercrimes Act 19 of 2020. Fill in your contacts now, so a live breach isn’t the first time you go looking for them.

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About

Quick answer

This is a template internal Cybersecurity Incident Response Plan, aligned with section 22 of POPIA and the Cybercrimes Act 19 of 2020. You adopt it as a company policy and keep it within reach before an incident happens. It captures your key contacts (incident lead, Information Officer, IT/security, legal, the Information Regulator and SAPS), severity levels, and a clear six-step response — detect and report, contain, assess, notify, recover, and review — with the legal notification timelines built in. Complete the [ ● ] contact fields now; in a real incident the clock starts the moment you become aware. It is a starting point, not legal advice.

Email me the plan

Enter your email and we’ll send the editable Word document (.docx) straight to your inbox. Link is valid for 7 days.

What’s in the plan

Key-contact directory — incident lead, Information Officer, IT/security, legal

Information Regulator + SAPS / cybercrime reporting details

A working definition of an “incident” under POPIA s 22 + the Cybercrimes Act

Severity levels (High / Medium / Low) with the response for each

Step 1 — Detect and report (this starts the legal notification clock)

Step 2 — Contain (isolate systems, revoke credentials, preserve evidence)

Step 3 — Assess the scope and which data is affected

Step 4 — Notify the Information Regulator + data subjects, and SAPS where required

Step 5 — Recover and restore systems safely

Step 6 — Review and harden controls afterwards

An incident log to record who, what and when from the moment of discovery

What it’s not

A plan template is a starting point, not a substitute for an attorney or a security team. It doesn’t cover:

A technical security architecture or a full ISO 27001 / NIST programme.
A POPIA-wide compliance audit — use the POPIA Compliance Audit Checklist for that.
Tailored regulatory notifications for regulated sectors such as financial services or health.

In the middle of an incident?

If you have a live security compromise involving personal information, the POPIA s 22 and Cybercrimes Act notification clocks are already running. Get the contacts in place now — and if you need help with the notification itself, email us or read our POPIA Compliance Audit Checklist.

POPIA & compliance help POPIA audit checklist

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.