What is an incident response plan and its typical phases for Annex B?

An incident response plan is a documented process for detecting, responding to, and recovering from security incidents, providing a structured approach so teams know what to do, who to contact, and how to restore operations while preserving evidence. The typical phases give that lifecycle a clear path: preparation sets up the team, tools, communication channels, and escalation criteria; detection and analysis involve monitoring, identifying incidents, and assessing their impact; containment aims to limit the spread and preserve evidence; eradication removes the root cause and cleans affected systems; recovery focuses on restoring services to normal and validating that systems are secure; and finally, lessons learned captures insights, updates to the plan, and actions to prevent recurrence. This framing explains why the option describing a comprehensive, documented process with these phases is the best choice. The other options describe things unrelated to incident response, such as marketing-related plans, hardware-only plans, or ignoring incidents, which do not provide a coordinated security response.