How to Create a NESA Compliant Incident Response Plan for Your UAE Small Business
On a Thursday afternoon, a 15-person Abu Dhabi engineering firm’s systems go dark. Screens show a ransomware message demanding AED 200,000 in Bitcoin within 72 hours. The IT person — a part-time contractor — is unreachable. Nobody knows who to call, what to do first, or how to report the incident to authorities. While the team scrambles, the attackers exfiltrate 3 years of project data. With a documented incident response plan, the first 60 minutes would have been different: specific people called, specific actions taken, specific authorities notified. The plan doesn’t prevent the attack — it prevents the chaos that turns an incident into a catastrophe.
This guide walks you through creating a NESA-compliant incident response plan that works for a small UAE business — practical, actionable, and lean enough to actually use.
Table of Contents
- NESA IR Requirements
- Plan Structure
- Incident Classification
- Response Phases
- Contact List Template
- Reporting Requirements
- Incident Playbooks
- Testing Your Plan
- IR Tools for Small Business
- FAQ
- Conclusion
NESA Incident Response Requirements
| NESA Control | Requirement | What This Means for Small Business |
|---|---|---|
| T6.1 | Documented incident response procedures | Written IR plan covering detection, containment, eradication, recovery |
| T6.2 | Incident response team and responsibilities | Named individuals with specific roles (even if wearing multiple hats) |
| T6.3 | Incident classification and prioritization | Severity levels (Critical/High/Medium/Low) with defined criteria |
| T6.4 | Incident reporting to aeCERT/TDRA | Report critical incidents to aeCERT within timelines specified |
| T6.5 | Incident investigation and forensics | Process for evidence collection and root cause analysis |
| T6.6 | Lessons learned and plan improvement | Post-incident review; update plan based on findings |
| T6.7 | Regular testing and exercising | Annual tabletop exercise at minimum; test contact lists quarterly |
Incident Response Plan Structure
| Section | Contents | Pages |
|---|---|---|
| 1. Purpose & Scope | What the plan covers; which systems/data; applicable regulations | 1 |
| 2. Roles & Responsibilities | IR team members; their roles; authority levels; escalation path | 1-2 |
| 3. Incident Classification | Severity levels; classification criteria; examples | 1 |
| 4. Response Procedures | Step-by-step for each phase: detect, contain, eradicate, recover | 3-5 |
| 5. Communication Plan | Internal notification; external reporting; customer communication; media handling | 1-2 |
| 6. Reporting Requirements | aeCERT reporting; regulatory notification; client notification timelines | 1 |
| 7. Incident Playbooks | Specific procedures for: ransomware, BEC, data breach, DDoS | 4-6 |
| 8. Contact List | Internal team; external support; aeCERT; cyber insurance; legal; forensics | 1 |
| 9. Evidence & Documentation | What to collect; how to preserve; chain of custody; reporting templates | 1-2 |
| 10. Testing & Maintenance | Testing schedule; exercise format; plan review/update frequency | 1 |
| Total | 15-25 pages |
Incident Classification Matrix
| Severity | Criteria | Response Time | Examples |
|---|---|---|---|
| Critical (P1) | Active breach with data exfiltration; ransomware active; complete system outage; life safety impact | Immediate (within 15 minutes) | Ransomware encrypting files; confirmed data leak; all systems down |
| High (P2) | Potential breach under investigation; partial system outage; malware contained but present; unauthorized access confirmed | Within 1 hour | Compromised account detected; malware on server; website defacement |
| Medium (P3) | Suspicious activity; single user compromise; phishing attempt clicked but no data accessed | Within 4 hours | User clicked phishing link; suspicious login from unusual location; single device malware |
| Low (P4) | Policy violation; spam increase; failed login attempts; vulnerability discovered (unexploited) | Within 24 hours | New vulnerability in software; minor policy violation; spam campaign targeting org |
Six-Phase Response Process
Phase 1: Detection & Identification (First 15 Minutes)
| ☐ | Action | Who |
|---|---|---|
| ☐ | Identify the incident source and type | First responder (whoever discovers it) |
| ☐ | Classify severity using matrix above | IR Lead / IT admin |
| ☐ | Document: time discovered, who found it, initial symptoms, affected systems | First responder |
| ☐ | Alert IR Lead (or owner if no dedicated IR Lead) | First responder |
| ☐ | Start incident log (time-stamped record of all actions) | IR Lead |
Phase 2: Containment (First 1-4 Hours)
| ☐ | Action | Who |
|---|---|---|
| ☐ | Short-term containment: isolate affected systems (disconnect from network, don’t power off) | IT / IR Lead |
| ☐ | Preserve evidence: take screenshots, note running processes, don’t reboot | IT |
| ☐ | Reset credentials for affected accounts (change passwords, revoke sessions) | IT |
| ☐ | Assess scope: how many systems affected? What data could be impacted? | IR Lead + IT |
| ☐ | Notify cyber insurance provider (if P1/P2 — within 24 hours per policy) | Business owner / IR Lead |
| ☐ | Engage external forensics if needed (P1 incidents — contact from provider list) | IR Lead |
Phase 3: Eradication (Hours 4-48)
- Identify root cause: How did the attacker get in? What vulnerability was exploited?
- Remove threat: malware removal, patch vulnerability, close unauthorized access
- Verify removal: scan all systems; check for persistence mechanisms (scheduled tasks, startup items, backdoor accounts)
- Review other systems: check for lateral movement — did the attacker spread to other machines/accounts?
Phase 4: Recovery (Hours 48-168)
- Restore systems from clean backups (validate backup integrity before restoring)
- Rebuild compromised systems from scratch if root cause is unclear
- Monitor restored systems closely for 72+ hours for re-infection
- Gradually restore services: critical systems first, then secondary
- Verify all data integrity before declaring systems operational
Phase 5: Notification & Reporting (Concurrent with Above)
- Report to aeCERT per reporting requirements (see section below)
- Notify affected individuals if personal data breached (per PDPL/DIFC/ADGM)
- Notify clients if their data was affected (per contractual obligations)
- Document all notifications: who, when, what was communicated
Phase 6: Lessons Learned (Within 2 Weeks Post-Incident)
- Conduct post-incident review meeting with all involved parties
- Document: what happened, timeline, what worked, what didn’t, improvement actions
- Update IR plan based on findings
- Implement additional controls to prevent recurrence
- Share relevant lessons with all staff (without sensitive details)
Emergency Contact List Template
| Contact | Name | Phone | When to Call |
|---|---|---|---|
| IR Lead / Business Owner | [Name] | [Mobile] | All incidents (P1-P4) |
| IT Administrator / MSP | [Name / Company] | [Mobile + Office] | All incidents requiring technical response |
| Cyber Insurance Hotline | [Insurer] | [24/7 Claims Hotline] | P1 and P2 incidents — within 24 hours |
| Legal Counsel | [Firm / Lawyer] | [Mobile + Office] | P1 incidents; any data breach involving personal data |
| Forensic Investigation Firm | [Company] | [24/7 Hotline] | P1 incidents; suspected data exfiltration |
| aeCERT (UAE CERT) | National Computer Emergency Response Team | +971 2 677 0997 / incident@aecert.ae | P1 and P2 incidents — per NESA reporting requirements |
| Dubai Cyber Security Center | DESC | 800-CYBER (29237) | Incidents affecting Dubai-based operations |
| Police (Cybercrime) | Abu Dhabi / Dubai Police | 999 / eCrime portal | Criminal activity (fraud, extortion, theft) |
UAE Incident Reporting Requirements
| Authority | When to Report | Timeline | How |
|---|---|---|---|
| aeCERT / TDRA | Critical security incidents affecting essential services or significant data breach | Within 6 hours (critical) / 24 hours (high) | Email: incident@aecert.ae or online portal |
| UAE Data Protection Authority | Personal data breach affecting UAE residents | Within 72 hours of awareness | Per PDPL notification procedure |
| DIFC Commissioner | Personal data breach affecting DIFC data subjects | Within 72 hours | DIFC data protection notification form |
| ADGM Commissioner | Personal data breach affecting ADGM data subjects | Without undue delay (typically 72 hours) | ADGM notification procedure |
| CBUAE | Cyber incidents affecting financial services | As per CBUAE framework (typically same business day) | CBUAE incident reporting channel |
| DOH Abu Dhabi | Incidents affecting healthcare data | Per DOH cybersecurity requirements | DOH reporting portal |
Incident Playbooks for Common Scenarios
Ransomware Playbook
- DO NOT PAY immediately — call cyber insurance first
- Isolate affected machines (network disconnect — DO NOT power off)
- Take photos of ransom screen
- Check if decryption key exists (nomoreransom.org)
- Call cyber insurance hotline (they’ll assign forensic team and negotiator)
- Assess: Are backups intact? When was last clean backup?
- Report to aeCERT within 6 hours
- Do not communicate with attackers unless directed by insurance/forensics team
- Restore from backups after eradication is confirmed
Business Email Compromise (BEC) — Money Sent
- Call your bank immediately — request wire recall (time-critical — first 24 hours)
- Report to police (eCrime portal or 999)
- Identify compromised account — was it your account or the sender’s?
- If your account: reset all passwords; check mail forwarding rules; enable MFA
- Notify cyber insurance
- Review: When did the attacker gain access? What other emails did they read?
- Alert other contacts who may also be targeted
Data Breach — Personal Data Exposed
- Contain the breach — stop the data leak (close open port, fix vulnerability, disable compromised service)
- Assess scope — how many records? What data types? (Names, IDs, financial, health?)
- Engage legal counsel — determine notification obligations
- Notify regulators within 72 hours (PDPL / DIFC / ADGM as applicable)
- Prepare customer notification — clear, honest, actionable (what happened, what you’re doing, what they should do)
- Offer credit monitoring if financial data involved
- Document everything for regulatory compliance evidence
Testing Your Incident Response Plan
| Test Type | Frequency | Duration | What It Tests |
|---|---|---|---|
| Contact list verification | Quarterly | 30 minutes | Are all numbers current? Can you reach key people? |
| Tabletop exercise | Annual (minimum) | 2-3 hours | Walk through a scenario verbally; test decision-making and procedures |
| Functional exercise | Annual (recommended) | 4-8 hours | Simulate incident; team performs actual actions (without real impact) |
| Technical walkthrough | Semi-annual | 1-2 hours | Verify you can: isolate a system, restore from backup, access forensic tools |
| Full simulation | Optional / biennial | 1-2 days | Red team exercise; unannounced test; measures actual detection and response time |
IR Tools for Small Business
| Tool | Purpose | Cost |
|---|---|---|
| Incident log template | Time-stamped record of all actions during incident | Free (Google Doc/Sheet) |
| Network isolation capability | Kill switch to disconnect affected systems | Free (unplug cable; disable port) |
| Backup restore access | Ability to restore from last clean backup | Part of existing backup solution |
| EDR with isolation | Remote endpoint isolation from console | Part of EDR subscription |
| Password manager | Emergency credential reset capability | AED 15-30/user/year |
| Communication channel (backup) | Signal/WhatsApp group for IR team (if email compromised) | Free |
| USB forensic kit | Bootable USB for evidence collection (optional) | AED 200-500 |
FAQ: Incident Response for UAE Small Business
How long does it take to create an incident response plan?
For a small business: 2-5 days of effort using templates. Day 1: Download and customize IR plan template (NIST, SANS, or NESA-aligned). Day 2: Complete contact list; define roles and responsibilities. Day 3: Write incident playbooks (ransomware, BEC, data breach). Day 4: Create communication templates; define reporting procedures. Day 5: Review with team; conduct tabletop walkthrough. Using a consultant: AED 8,000-20,000 for a complete, custom IR plan delivered in 1-2 weeks. The plan doesn’t need to be long — 15-25 pages is sufficient for a small business.
Do small businesses in UAE need to report cyber incidents to aeCERT?
NESA requires critical infrastructure entities to report significant incidents to aeCERT. Most small businesses are not designated critical infrastructure. However: if you hold government contracts or are in a regulated sector (finance, healthcare, energy, telecoms), reporting may be required. Best practice for all businesses: report P1/Critical incidents to aeCERT regardless — it helps the national cybersecurity posture and you may receive assistance. Contact: incident@aecert.ae or call +971 2 677 0997. There is no penalty for reporting voluntarily; there can be consequences for not reporting when required.
What should I do in the first 15 minutes of a ransomware attack?
In order: (1) Don’t panic — follow the plan. (2) DO NOT pay the ransom immediately. (3) Isolate affected systems — disconnect from network (pull the cable, turn off Wi-Fi), but DO NOT power off (preserves forensic evidence). (4) Take a photo of the ransom screen. (5) Call your IR Lead or business owner. (6) Call your cyber insurance hotline. (7) Check: are backups accessible? When was the last backup? Is it infected? (8) Start the incident log — record everything with timestamps. The first 15 minutes determine whether you lose a day’s data or everything. Isolation is the single most important action.
Do I need an external forensic firm on retainer?
Retainer is ideal but not essential for every small business. Options: (1) Cyber insurance — most policies include pre-arranged forensic firm access (no retainer needed). (2) Retainer agreement — AED 10,000-25,000/year; guarantees 4-hour response time and pre-negotiated rates. (3) No retainer — engage forensic firm at time of incident; response may be slower (12-48 hours) and more expensive. Recommendation: if you have cyber insurance, verify their forensic response capability and save their hotline number. If no insurance, consider a retainer with a local firm for P1 incidents.
How often should we test the incident response plan?
Minimum: annual tabletop exercise (NESA T6.7 requirement). Recommended: quarterly contact list verification + annual tabletop + annual technical walkthrough (backup restore test, system isolation test). Optimal: all of the above + annual functional simulation. A tabletop exercise takes 2-3 hours: gather the IR team, present a scenario (e.g., “Ransomware hits at 10 PM — walk through every step”), identify gaps, update the plan. These exercises consistently reveal problems: outdated contact numbers, unclear roles, untested procedures. The cost of an exercise is zero; the cost of discovering gaps during a real incident is enormous.
About the Author
Khalid Al-Mansouri, GCIH is a GIAC certified incident handler with 15 years of experience managing cyber incidents for UAE organizations. He has developed incident response plans and led incident response teams for businesses ranging from 10 to 10,000 employees across the Middle East.
Conclusion
An incident response plan is the single most critical cybersecurity document for any UAE small business. It doesn’t prevent attacks — it prevents the chaos and costly mistakes that turn an incident into a disaster. Build yours in 2-5 days using templates: define roles, create a contact list, write playbooks for ransomware and BEC, and establish reporting procedures for aeCERT and data protection authorities. Test annually with a tabletop exercise. Keep the plan printed, accessible, and current. The businesses that survive cyber incidents aren’t the ones with the biggest security budgets — they’re the ones that responded correctly in the first 60 minutes because they had a plan and practiced it.
Get Your IR Plan
Free incident response plan template for UAE small businesses, pre-aligned to NESA requirements. Includes playbooks for ransomware, BEC, and data breach scenarios. Also available: guided IR plan development with tabletop exercise from AED 8,000.