Emergency Incident Checklist
This checklist covers the essential questions and actions to guide your immediate response when a cybersecurity incident occurs.
When a cybersecurity incident strikes, speed, clarity and sound decision making matter the most. The questions you ask in the first minutes and hours will shape your entire response.
This checklist is designed for EdTech providers, helping you act quickly, protect sensitive data, and meet compliance obligations under the Privacy Act 2020 and ST4S requirements.
Remember. This checklist is just one part of a wider process. You should have thought through these points:
Prevention (policies, training, technical controls)
Detection & Monitoring (threat detection, alerting, logging)
Triage & Containment (scoping the incident, limiting impact)
Resolution & Recovery (system restoration, service continuity)
Post-Incident Review (root cause analysis, lessons learned)
👉 For EdTech providers, incidents often involve student data, integrations with school systems, and cloud-based services. Your plan should consider these unique contexts.
Emergency Incident Checklist
(please add to this if you feel it needs more info)
1️⃣ Engage the Right Experts Immediately
Do you have a trusted partner who can help here (like upstream tech business) or a team that is well versed in what to do, whether this is stopping access to a service to taking an online service offline?
ST4S link: Providers must demonstrate they have appropriate escalation and incident management processes in place.
2️⃣ Communication With Affected Customers
Can you quickly contact affected schools or partners?
Knowing the extent of the breach, is it just one school or one dataset.
What information will you provide — and how soon? Transparency builds trust, but accuracy is critical.
BUT most important is step 3:
3️⃣ Immediate Containment Actions
Determine what the issue is, and you could:
Reset affected user credentials?
Can you suspend or isolate compromised accounts or systems?
Do you have the ability to remotely wipe or lock lost/stolen devices?
Should you temporarily suspend services to prevent further damage?
For EdTech: consider stopping integrations with other providers, e.g. SMS or Learning Management Systems (LMS).
4️⃣ Regulatory & Legal Obligations
Does this incident meet the threshold for mandatory reporting to the Office of the Privacy Commissioner (OPC) under the Privacy Act 2020?
There are Ministry of Education requirements for notifying breaches involving schools or student data?
Do your contracts with schools require you to report breaches within a specific timeframe?
5️⃣ Roles & Responsibilities
Who is leading the incident response — technical lead, senior management, or both?
Is your call tree up to date, including after-hours mobile numbers?
Do you have a designated liaison for affected customers (schools) and a separate one for regulators?
6️⃣ Internal & External Coordination
Do you have a dedicated communications channel for your response team?
Are system logs, alerts, and evidence being collected and preserved for forensic investigation?
Have you identified which third-party providers (cloud hosts, SMS vendors, payment gateways) need to be looped in?
7️⃣ Comms Management
Do you have staff who can respond to enquiries? They can be pretty demanding when this occurs.
Social media can amplify reputational damage quickly — do you have a plan here to control the messaging.
Be prepared for school principals, parents, and teachers to share concerns on social platforms — clear, coordinated communication is essential.
Final Thought
An incident response checklist is not a substitute for a full incident management plan but it gives you few ideas to think through. For EdTech providers, the stakes are always higher: student privacy, regulatory compliance, and trust with schools are on the line.
No doubt, and ST4S will ask for this, you will need an Incident Management Plan.
🛑Tip: Comms is absolutely critcal here, from my experience, this is where damage can be significant is it isnt handled well.