Ga naar inhoud

ISO 27001 ·

Ransomware playbook for SMEs: first hours and audit evidence

June 2026. Ransomware incidents at SMEs remain weekly news. Supervisors, insurers and enterprise customers ask not whether you have a playbook but whether you tested it recently and can demonstrate immutable backups.

First hour: containment

  • isolate affected systems — pull network, not only shutdown;
  • preserve logs and forensics — do not wipe attacker traces;
  • activate crisis team: IT, CISO, leadership, legal, PR;
  • assess GDPR/NIS2/contract notification — start in parallel.

First day: recovery and communication

Decide whether restore from immutable/offline backup is possible — not whether you pay. Document the decision. Inform chain partners per contract. Keep a timeline for later investigation and audit.

Prevention auditors sample

  1. MFA on remote access and admin — no exceptions.
  2. Offline/immutable backup + tested restore within RTO.
  3. Phishing awareness and reporting — metrics in management review.
  4. Patch and vulnerability SLA for internet-facing systems.

Link to incident management, BCM and ISMS. Exercise tabletop annually; record lessons in improvement register.

In 2026 insurers and customers explicitly ask for immutable backups and admin account segregation. Without that evidence premiums rise or contracts fail at renewal.

Aftermath and lessons learned

After recovery: root cause analysis, insurance and legal follow-up, customer communication and playbook update. Auditors and insurers ask about that phase — not only containment. Record payment decision (if considered) with board decision; never IT alone.

Test restore quarterly for one critical system on rotation — not annually everything at once. Document each test in the same register as BCM exercises.

Segmentation and least privilege limit blast radius — plan network and identity segmentation as follow-up when playbook basics are in place.

Next steps in your ISMS

Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.

Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.

Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.

What to do this week

Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.

Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.

Evidence and governance

Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.

Chain and contracts

Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.

Continual improvement

Plan a short quarterly review: what worked, which near-miss stood out, which control needs extra attention? Record three improvement actions with owners — that is what ISO 27001, NIS2 and GDPR supervision want to see: PDCA in practice, not paper only.

Knowledge base and readiness

For deeper guidance see our knowledge base on ISMS, ISO 27001, NIS2 and GDPR. Use the readiness overview to compare priorities with your current maturity. This article is educational; engage specialists for legal or audit decisions.

Evidence and governance

Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.

Deep dive in the knowledge base

Continue in ISO Ready

Manage actions, risks and evidence in one line of sight toward certification.

Visit ISO Ready

← Back to overview