An incident management plan outlines processes for your business to deal with a cyber security breach, including what constitutes a breach and who should be contacted if one occurs.

Being able to identify and contain a cybersecurity incident quickly is critical. Swift action minimises disruption, reduces reputational harm, and ensures you meet your legal and regulatory obligations — including the Privacy Act 2020 and ST4S requirements.

Cyber threats are constantly evolving. Even with strong protections in place, breaches will occur - no doubt we all need to be ready. What matters is how prepared you are to detect, triage, and respond.

What Does Incident Management Involve?

A mature Incident Response (IR) framework has five stages (you will need these documented for ST4S):

1️⃣ Prepare & Prevent (ST4S: Governance & Security Policy)

Preparation is your strongest defence. Start by:

• Conducting a cyber risk assessment and mapping your critical assets (especially systems handling student or school data).

• Developing a Cybersecurity Policy that defines roles, responsibilities, escalation paths, and reporting forms. This can be part of your Security Policy.

• Maintaining an up-to-date incident register to log all events (online or offline)

• Rehearsing scenarios through tabletop exercises.

👉 See our [Emergency Incident Checklist] for practical questions to guide your planning.

2️⃣ Monitor & Detect (ST4S: Threat Protection & Monitoring)

Detection depends on both technology and people. Put in place:

• Automated alerts from intrusion detection/prevention systems (IDS/IPS), EDR, or SIEM (Security Information and Event Management) tools.

• User reporting channels for lost/stolen devices, suspicious emails, or odd account activity — and a culture that encourages staff to report quickly without fear of blame.

• Threat intelligence monitoring, including sector-specific alerts (e.g., CERT NZ, product security notices).

• Tracking high-profile breaches locally and globally to ask: “Could this affect us?”

3️⃣ Triage (ST4S: Incident Response)

This decision point determines how you handle the incident:

1. Categorise – How severe is the incident? Does it involve personal/student data?

2. Prioritise – Is urgent escalation required, or can it be contained locally?

3. Assign – Who is responsible for the resolution and by when? Ensure responsibilities are clear across technical, management, and legal teams.

4️⃣ Respond (ST4S: Containment & Recovery)

Your response will often involve three layers:

• Technical Response: contain malicious activity, reset credentials, isolate affected systems, patch vulnerabilities, coordinate with vendors, and gather forensic evidence.

• Management Response: communicate with staff, affected schools, and customers. Approve containment and remediation actions.

• Legal/Compliance Response: assess if reporting obligations apply under the Privacy Act 2020, Ministry or contractual obligations with schools. Engage the NZ Police if fraud or cybercrime is involved.

👉 Coordinate across all layers to ensure messaging, containment, and compliance are aligned.

5️⃣ Resolve & Review (ST4S: Continuous Improvement)

Once the incident is closed:

• Root cause analysis – determine what caused the breach (technical flaw, human error, or third-party weakness).

• Systems/process improvements – update security controls, patch policies, and access reviews.

• Response review – evaluate how the incident was managed. Were escalation paths clear? Was communication effective?

• Share learnings – anonymised insights can strengthen the wider EdTech and education community.

Final Thought

Incidents will happen!

The difference between a contained event and a crisis often comes down to how well your organisation has prepared. For EdTech providers, the stakes are higher: protecting student data, maintaining service continuity for schools, and meeting ST4S standards of trust and resilience.

By preparing, monitoring, triaging, and reviewing, you’ll be ready not just to survive incidents — but to learn from them and strengthen your defences for the future.