Contact Us
Contact Us

Ransomware Decision Playbook: One-Page Who-Decides Map

Ransomware decision playbook, print a one-page who-decides-what map with shutdown authority, comms owner, pay stop rules, board triggers.

SageSims

5/17/20255 min read

A team working through a ransomware decision playbook: a one-page “who decides what” map you can use
A team working through a ransomware decision playbook: a one-page “who decides what” map you can use

Ransomware Decision Playbook: a one-page “who decides what” map you can use today

Response to a ransomware attack doesn’t usually fail because the team is lazy or unskilled. It fails because, under stress, decision rights get fuzzy. People hesitate. Meetings multiply. Everyone waits for the “real” owner to speak first. Meanwhile, operational disruptions spread.

Boards and executives feel this in a very specific way. You’re not trying to run keyboards. You’re trying to run governance for the incident response plan. Who can authorize a shutdown? Who can approve a public statement? Who tells the board what, and when?

This isn’t a technical guide. It’s a decision readiness guide for cybersecurity resilience. You’ll leave with a one-page ransomware decision playbook you can print today: a simple “who decides what” map that stays clear when the room gets tense.

Key takeaways: the Ransomware Incident Response Playbook in plain English

  • Name one Incident Manager with authority to run the room, oversee Incident Management, and end debates.

  • Pre-approve shutdown authority for Containment Procedures in defined scenarios (so you don’t vote while systems burn).

  • Define stop rules for paying (legal, sanctions, board notification triggers).

  • Assign one communications owner (everyone else routes messages through them).

  • Set escalation triggers to CEO and board liaison based on impact thresholds.

  • Keep a single source of truth (one incident log, one timeline, one decision record).

The one-page “who decides what” map: roles, decision rights, and escalation triggers

A ransomware attack is like smoke in a cockpit. It’s loud, confusing, and full of partial signals amid the chaos of a ransomware attack. The worst move is to turn every decision into a group discussion.

Your goal is a single sheet that answers three questions fast:

  • Who decides? (one owner for each high-impact call)

  • Who must be consulted? (inputs required before the owner decides)

  • When do we escalate? (clear triggers, not vibes)

Keep it to one page because long playbooks don’t get read in the first hour. This Ransomware Incident Response Playbook is not a RACI class. It’s a working tool.

What it should look like on paper

  • Top-left: incident name, date, Incident Manager, alternates.

  • Top-right: executive brief cadence (example: every 60 minutes).

  • Middle: decision table (the real engine of your Ransomware Decision Playbook).

  • Bottom: contact paths (internal, legal counsel, insurer, outside IR).

If you want a reference example of what a more detailed ransomware playbook can contain (beyond decision rights), the CIRO Ransomware Response Playbook (PDF) and the NMFTA Ransomware Playbook Template (PDF) are useful context.

Start with roles, not names: the minimum ransomware decision-making team

Keep the team small, and assign a primary and alternate for every role.

  • Incident Manager: runs the incident, sets pace, owns the decision log.

  • IT/Recovery Lead: restores systems, owns backup validation and recovery order.

  • Security Lead: confirms scope, containment, evidence handling, attacker behavior.

  • Legal/Compliance: privilege strategy, notification advice, regulatory compliance, contract and regulatory calls.

  • Comms Lead: internal updates, communication strategy, customer messaging, press statements, Q&A control.

  • Finance/Insurance: insurer notice, cost tracking, vendor approvals, cash decisions.

  • Executive Approver: approves high-impact calls (shutdown, public statement, pay).

  • Board Liaison: keeps the board informed, routes approvals, avoids side channels.

How to use the decision playbook in the first 24 hours of a ransomware incident

The first day is a sprint with four work streams from the Incident Response Plan running in parallel: containment, investigation, recovery, and communications/legal. The Ransomware Incident Response Playbook decision map keeps those streams from colliding.

What “good” looks like is simple: decisions happen once, fast, and get recorded. People don’t improvise authority. The board doesn’t get surprised. The organization speaks with one voice.

Don’t do this (common pitfalls):

  • Waiting for perfect certainty before isolating systems in a ransomware attack.

  • Letting every leader join every call, then calling it “alignment.”

  • Sharing updates from multiple sources (Slack, email, texts, and side calls).

  • Negotiating with an attacker before legal and insurer guardrails are set.

First hour: stabilize, contain, and set a single source of truth

Start by using Detection Protocols to confirm it’s a ransomware attack and not a noisy false alarm. Then appoint the Incident Manager and open an incident log that records facts, timestamps, and decisions.

Containment comes next. Follow Containment Procedures to isolate affected devices and network perimeters. Stop risky changes, including “quick fixes” that overwrite evidence. Preserve what you can, even if it feels slow, because later you’ll need to explain what happened and when.

Set an executive brief cadence early (example: every 60 minutes). Use a simple rule: if patient safety, critical services, or wide spread impact is possible, escalate to the Executive Approver and Board Liaison immediately.

Hours 2 to 24: restore safely, communicate calmly, and make the hard calls with guardrails

Recovery and Remediation should follow a tier list. Tier 0 is identity and core access (directory, multi-factor authentication, privileged accounts). Tier 1 is mission-critical operations (care delivery, plant control, order flow). Tier 2 is everything else.

Before data restoration, make sure these are true: backups are clean, active spread of malicious code is stopped, admin and service passwords are reset, and monitoring is in place. Restoring too early can re-infect your environment.

For the pay decision, set guardrails so the room doesn’t drift into panic:

  • Legal check, including sanctions risk.

  • Insurer input and process requirements.

  • Search for known decryptors and recovery paths.

  • Proof-of-life and proof-of-decrypt from the attacker.

  • A clear business impact threshold, and a board notification trigger before any ransom payments decision.

Make it real: test your ransomware decision playbook before it is needed

A one-page map only works if it matches how your leaders behave under pressure. The fastest way to validate your Incident Response Plan is a short tabletop exercise that forces decisions, not discussion.

Run a 60-minute tabletop exercise with a simulated attack using timed injects: encrypted file shares, a note, a media inquiry, a regulator call, a failed restore, a second site showing symptoms. Keep a visible clock. Require the Incident Manager to make calls and record them. Then do a 30-minute post-incident analysis that ends with a small action list with owners and dates, such as patch management tasks or vulnerability remediation steps.

If you want help turning this into repeatable muscle memory, SageSims runs realistic tabletop exercises that focus on governance, escalation, and communications, not technical theater. Challenge your leadership team to schedule one practice run in the next 30 days: Practice high-stakes decisions with SageSims.

Hero image prompt: Photo-realistic executive war-room moment in a calm New England boardroom, warm natural light, diverse leaders focused on printed briefings and a blurred timer on a screen, subtle tension and confidence, whiteboard with simple shapes only, negative space for headline, no readable text, no logos, no hacker imagery, minimalist editorial style, 16:9.

FAQs: quick answers leaders ask during ransomware

Should we ever pay a ransom?
Treat it as an executive and legal decision with pre-set stop rules, not a heat-of-the-moment debate. Paying can bring legal, sanctions, and repeat-target risks.

Who should speak to employees and customers?
One Comms Lead to manage the communication strategy, with legal review, when addressing internal stakeholders (employees) and external stakeholders (customers). Mixed messages create more damage than silence.

When does the board get involved?
When the ransomware attack's impact crosses clear thresholds (critical services, material outage, payment consideration, regulatory clock). Use a Board Liaison to keep the channel clean.

What’s the most common failure mode?
Decision-making ownership breaks, and the team turns into “committee by meeting.”

Conclusion

A ransomware attack compresses time and judgment during a ransomware incident. The advantage doesn’t go to the team with the longest document. To minimize operational disruptions and ensure business continuity, it goes to the team with the cleanest decisions.

Print your one-page map. Assign role owners and alternates. Pre-approve the few authorities that always stall, including detection protocols, shutdown and forensic collection for containment, communications, and pay guardrails, along with recovery and remediation steps. Then schedule tabletop exercises within 30 days to test business continuity.

Calm executive leadership is contagious. So is confusion. Build the Ransomware Incident Response Playbook that leverages endpoint detection and response to make clarity the default when it matters most.

Get In Touch
Let Us Contact You

info@sagesims.com

© 2025. All rights reserved.

+1 (206) 679-1685