- The IT emergency card is a one- to two-page document with the most important contacts and immediate actions that should be available at every employee's workplace.
- The BSI provides a free template that serves as a starting point. Customize it for your organization rather than using it unchanged.
- The card must contain four things: contact details for key personnel, the first three to five steps in an IT emergency, clear prohibitions (what NOT to do), and a simple classification of when something qualifies as an emergency.
- For the IT team, there is an extended technical emergency card with IP addresses, credential vault instructions, recovery sequence, and contacts for external service providers.
- The emergency card must be checked quarterly for current contact information and updated immediately when personnel changes occur.
Why an IT Emergency Card?
It's Monday morning, 8:15 AM. An employee in accounting opens their laptop and sees an unfamiliar message instead of the usual desktop: "Your files have been encrypted." The files are no longer accessible. The employee is not an IT expert. They don't know whether to shut down the laptop, unplug the network cable, or simply wait. They call a colleague, who can't help either. It takes 45 minutes before the right person is informed. In those 45 minutes, the ransomware spreads across the network.
This scenario regularly occurs in organizations that have an incident response plan sitting in a binder somewhere but lack a simple, immediately accessible set of instructions at the workplace. The IT emergency card fills exactly this gap. A functioning incident response plan is the foundation, but the emergency card is the practical, everyday derivative of it.
The IT emergency card is deliberately not a comprehensive document. It's the opposite: a one- to two-page, laminated sheet that hangs at the workplace or sits in the desk drawer. It answers exactly three questions: Who do I call? What do I do immediately? What must I absolutely avoid?
The BSI (Federal Office for Information Security) established the emergency card as a concept and provides a template. This template is a good starting point that you should customize for your organization.
The BSI Emergency Card as a Starting Point
The BSI published the "IT Emergency Card" as a template through the Alliance for Cyber Security. It's designed after the model of fire safety notices and follows a simple principle: in an IT emergency, every employee must immediately know what to do, even without technical knowledge.
Basic Structure of the BSI Template
The BSI template is divided into four sections:
- Recognizable heading: "IT Emergency? Act Correctly!" or similar, in large, prominent font.
- Emergency number: The one phone number every employee should call in an IT emergency.
- Immediate actions: The first steps the employee should take themselves.
- What not to do: Clear prohibitions to prevent making the situation worse.
Why You Should Customize the BSI Template
The BSI template is generic. It works as a starting point, but without customization, the company-specific information that makes the difference in an actual emergency is missing. Who is the specific contact person? What is the internal emergency number? Which systems are particularly critical in your organization? What company-specific rules apply?
Take the BSI template as a structure and fill it with your own content. The result is an emergency card that is not just well-intentioned but actually useful.
What Needs to Be on the Emergency Card
The emergency card is aimed at all employees, regardless of their technical knowledge. It must therefore be so simple and unambiguous that it works even in a stressful situation. Every superfluous word, every ambiguity, and every piece of information that is irrelevant at the moment of an emergency does not belong on the card.
Section 1: Headline and Visual Identifier
The card needs an immediately recognizable heading. Large, bold, in a signal color. The employee must be able to identify the card as an emergency card from three meters away.
Example:
IT EMERGENCY? Here's what you need to do now.
Optionally add a symbol or icon (warning symbol, phone), but keep it simple. The card isn't meant to win design awards — it needs to be grasped in a fraction of a second.
Section 2: When Is It an IT Emergency?
Many employees are unsure whether their situation really qualifies as an "emergency." A slow computer is not. An encrypted hard drive is. The card should briefly and clearly define when it should be used.
Example:
It is an IT emergency when:
- Your screen shows an unknown message (e.g., ransom demand, encryption notice)
- You notice suspicious activity on your computer that you did not initiate
- You sent confidential data to the wrong person
- You clicked a suspicious link or opened a suspicious attachment
- Systems or data are unavailable and this is not due to planned maintenance
This list doesn't need to be exhaustive. It needs to cover the most common scenarios and give the employee confidence that it's right to report the emergency, even if it later turns out to be a false alarm. Better to report once too many than once too few.
Section 3: The Emergency Number
The centerpiece of the card. A single, unambiguous number that is always reachable during an IT emergency. Not three numbers for different departments, no email address as an alternative, no backup number for "outside business hours." One number. Always.
Example:
Call IMMEDIATELY: ☎ 0800 123 4567 IT Emergency Hotline (available 24/7)
Or internally: Extension 999
If your organization doesn't have a 24/7 service, still provide a number that works evenings and weekends. This could be the mobile number of the on-call IT staff member or an external standby service.
Section 4: The First Steps
After the call, the employee should know what they can do to avoid making the situation worse and to help the IT team. Limit this to three to five steps — no one can remember more in a stressful situation.
Example:
What you should do now:
- Stay calm. You did the right thing by calling the emergency number.
- Unplug the network cable (if applicable) or turn off WiFi. This prevents a potential attack from spreading to other systems.
- Take a photo of the screen. Use your phone to take a picture. The message on the screen often contains important clues for the IT team.
- Write down what happened: What were you doing last? When did you notice the problem? Which systems are affected?
- Wait for instructions from the IT team. Do NOT shut down the computer unless the IT team explicitly tells you to.
The point "Do NOT shut down the computer" is important and counterintuitive. Many employees think that turning it off helps. In reality, shutting down can destroy forensic traces in the working memory that are critical for analyzing the incident. At the same time, there are situations where shutting down makes sense. The decision should rest with the IT team, not the employee.
Section 5: What You Should NOT Do
This section is at least as important as the action instructions. In a panic, people do things that are well-intentioned but counterproductive.
Example:
What you should NOT do:
- DO NOT respond to the ransom message or pay the ransom
- DO NOT try to fix the problem yourself (no virus scans, no file recovery)
- DO NOT share the incident on social media or with external parties
- DO NOT forward suspicious links or files to colleagues (not even as a warning)
- DO NOT connect USB drives or other storage media to the affected computer
The "DO NOT" rules should be highlighted in a prominent color (e.g., red). They are the guardrails that prevent a bad incident from becoming worse.
Section 6: Information for the Report
When the employee calls the emergency number, the IT team needs to quickly get the relevant information. A short checklist on the card helps the employee report the right things.
Example:
Have the following information ready:
- Your name and department
- Your location (building, floor, room)
- What happened? (Brief description)
- When did you notice it?
- Which devices or systems are affected?
- Did you click a suspicious link or open an attachment?
Designing the Emergency Card
The design determines whether the card actually works in an emergency. A poorly designed card will either not be found, not be read, or be misunderstood.
Format and Material
- Format: DIN A5 (half the size of DIN A4) is ideal. Large enough to be readable, small enough not to hang on the wall as a poster and be ignored.
- Laminated: The card must be laminated. A non-laminated sheet will be crumpled in a drawer after two weeks or ruined by coffee.
- Double-sided: Front for the general emergency card (sections 1 to 5), back for the reporting information (section 6) and additional notes if needed.
Typography and Colors
- Heading: At least 24pt, bold, in a signal color (red or orange)
- Emergency number: At least 36pt, the largest text on the card
- Body text: 12 to 14pt, easily readable even in low light
- "DO NOT" rules: Highlighted in red or with a red background
- Font: A clear sans-serif typeface. No decorative fonts, no overly thin weights.
Placement
The card must be where the employee will find it in an emergency without having to search:
- At the workplace: Directly next to the monitor or under the desk shelf
- In meeting rooms: At the entrance or next to the phone
- In production areas: At the workstation, at the time clock, at the entrance to the hall
- Digitally: Additionally as a PDF on the intranet, as a browser bookmark, as a lock screen wallpaper
The combination of physical and digital availability is important. During a ransomware attack, the intranet may no longer work. The physical card must be there.
Extended Emergency Card for the IT Team
The general emergency card is aimed at all employees. The IT team needs an extended version with technical information that must be immediately available in an emergency. This technical emergency card is confidential and distributed only to IT staff.
Contents of the Technical Emergency Card
1. Immediate Actions Checklist (Technical)
If ransomware / active attack is suspected:
- Isolate affected systems from the network (unplug network cable, disable WiFi, disable switch port if necessary)
- Disconnect internet connection (uplink at router or firewall)
- Immediately disconnect backup systems from the network (before they are compromised as well)
- Notify the crisis team (see contact list)
- Begin forensic preservation (RAM dump before shutdown, disk image)
- Secure log files (firewall, domain controller, affected servers)
- Check reporting obligations (NIS2: 24h, GDPR: 72h for data breaches)
2. Critical Systems and IP Addresses
| System | IP Address | Location | Responsible |
|---|---|---|---|
| Domain Controller 1 | 10.0.1.10 | Server Room HQ | Admin Team |
| Domain Controller 2 | 10.0.1.11 | Server Room HQ | Admin Team |
| Firewall | 10.0.0.1 | Server Room HQ | Network Team |
| Backup Server | 10.0.3.50 | Server Room HQ | Admin Team |
| Email Server | 10.0.2.20 | Cloud (M365) | Admin Team |
| ERP System | 10.0.2.30 | Server Room HQ | ERP Admin |
| Phone System | 10.0.4.10 | Technical Room | Network Team |
This table must contain the systems that are prioritized during recovery. Not every system belongs on the emergency card — just the ten to fifteen most critical ones.
3. Credential Vault
During an emergency, credentials are needed that only a few people know in normal operations: local admin passwords, recovery keys, firewall credentials, cloud admin accounts. These credentials must not appear on the emergency card, but the card must describe where and how to obtain them.
Emergency Credentials:
- Password Manager: KeePass database on encrypted USB drive in the safe (Server Room HQ, safe code held by management and CISO)
- Offline Copy: Sealed envelope in bank safe deposit box (Sparkasse Musterstadt, Box 4711)
- Break-Glass Account: admin.emergency@firma.de (password in sealed envelope, Server Room safe)
The break-glass accounts are emergency accounts with elevated privileges that may only be used during a crisis. Their usage must be logged and audited after the incident.
4. Recovery Sequence
| Priority | System | Max. Downtime | Recovery Method |
|---|---|---|---|
| 1 | Network Infrastructure (Firewall, Switches, DNS) | 2 hours | Restore configuration backup |
| 2 | Domain Controller | 4 hours | Bare-metal restore from backup |
| 3 | Email System | 8 hours | Cloud failover (M365) |
| 4 | ERP System | 12 hours | VM restore from backup |
| 5 | File Server | 24 hours | VM restore from backup |
| 6 | Other Applications | 48 hours | Per recovery plan |
This sequence is based on the business impact analysis and the recovery plan. The emergency card shows the short version; the detailed recovery plan is available separately.
5. External Contacts for Emergencies
| Contact | Phone | When to Contact |
|---|---|---|
| IT Security Service Provider (Incident Response) | +49 xxx xxxxxxx | Upon confirmed security incident |
| BSI Reporting Office (NIS2) | +49 228 99 9582-5500 | For reportable incidents (24h deadline) |
| Data Protection Authority (GDPR) | +49 xxx xxxxxxx | For data breaches involving personal data (72h deadline) |
| Cyber Insurance | +49 xxx xxxxxxx | For incidents with potential damages |
| Attorney (IT Law) | +49 xxx xxxxxxx | For extortion, reporting obligations, liability issues |
| Police (Cybercrime Unit) | 110 or direct number | For criminal offenses (extortion, data theft) |
| Phone System Provider (Hotline) | +49 xxx xxxxxxx | If phone system fails |
This contact list must be regularly checked for accuracy. Nothing is worse than calling an outdated number in an emergency and ending up in a queue or reaching a former service provider.
Designing the Technical Emergency Card
The technical emergency card is more comprehensive than the general version. DIN A4, printed on both sides and laminated, is the standard format. Use table structures and numbered lists. Colors help with quick orientation: red for immediate actions, yellow for contacts, green for the recovery sequence.
The technical emergency card is a confidential document. It contains IP addresses, system names, and references to the credential vault. Treat it accordingly: numbered copies, personal distribution to IT team members, return upon team changes.
Distribution and Communication
An emergency card that nobody knows about helps nobody. Distribution and communication are just as important as the content.
Initial Distribution
- Personal handover: Give each employee the emergency card personally, not via internal mail and not as an email attachment. The personal handover creates awareness and provides an opportunity to briefly explain the card.
- During onboarding: Every new employee receives the emergency card on their first day as part of the onboarding package. Briefly explain when and how to use it.
- Ensure placement: Ask employees to keep the card at a fixed location at their workplace. Ideally attached directly next to the monitor or on the desk.
In Awareness Training
Integrate the emergency card into your security awareness program. At least once a year, the card should be covered in a training session or brief reminder. Ideally combined with a practical exercise: "An extortion message just appeared on your screen. What do you do first? Look at your emergency card."
Everyday Visibility
The emergency card must remain visible in daily work; otherwise, it will be forgotten after three months. Some ideas:
- Desktop wallpaper or lock screen message: "In an IT emergency: Extension 999"
- Laptop stickers: A small sticker with the emergency number
- Notice in common areas: Kitchen, hallway, entrance area
- Intranet homepage: Link to the digital version of the emergency card
Updates: The Biggest Weakness
The most common weakness in emergency cards is not the content but the currency. Contact details change, employees leave, phone numbers are reassigned. An emergency card with an outdated emergency number is not just useless — it's dangerous because it creates a false sense of security.
Review Schedule
- Quarterly: Check all contact details for accuracy. Make test calls to the numbers. Are the named contacts still in their roles? Is the emergency number reachable?
- Immediately upon personnel changes: When the CISO, IT manager, or any other contact named on the card leaves the organization or changes roles, the card must be updated immediately.
- Annually: Review the entire content: Are the immediate actions still appropriate? Do the systems on the technical emergency card still match reality? Are there new reporting obligations or changed deadlines?
Replacement Process
Define a process for replacing outdated cards:
- Print and laminate the new version
- Update the version number and date (at the bottom of the card)
- Distribute new cards to all employees
- Collect and destroy old cards
- Update the digital version on the intranet
Collecting old cards is important. If an employee has both the old and new card, they may grab the wrong one under stress. Ensure that only one version is in circulation at any time.
Versioning
Even an emergency card needs a version number. A small note at the bottom is sufficient:
Version 3.1 | As of: March 2026 | Next review: June 2026
This way, anyone can immediately see whether their card is current. In audits, versioning provides evidence that the card is regularly reviewed and updated as needed.
Emergency Card and Incident Response Plan: How Do They Fit Together?
The emergency card does not replace an incident response plan. It is the simplified, everyday derivative of it. The hierarchy looks like this:
Incident Response Plan: The comprehensive document with all details on detection, assessment, containment, eradication, recovery, and lessons learned. Typically 10 to 20 pages, aimed at the incident response team.
Technical Emergency Card: The short version for the IT team. Contains the most important immediate actions, contacts, and system overview. 2 pages (DIN A4, double-sided), aimed at all IT staff.
General IT Emergency Card: The version for all employees. Contains only the emergency number, first steps, and prohibitions. 2 pages (DIN A5, double-sided), aimed at every single employee in the organization.
All three documents must be consistent. The emergency number on the general card must be documented as the first point of contact in the incident response plan. The immediate actions on the technical card must align with the procedures in the incident response plan. When you update any of the three documents, check consistency with the other two.
Tabletop Exercise with the Emergency Card
The best method to test the effectiveness of the emergency card is a tabletop exercise. You walk through an emergency scenario, similar to a tabletop exercise, and observe whether employees can find, understand, and correctly follow the card.
Running a Simple Tabletop Exercise
Preparation (30 minutes): Choose a realistic scenario (e.g., ransomware on a workstation, phishing email with credential theft). Define the starting situation and expected responses.
Execution (45 to 60 minutes): Gather a group of five to ten employees from different departments. Describe the scenario and ask: "What do you do now?" Observe whether employees refer to the emergency card, whether they call the emergency number, and whether they follow the immediate actions.
Debrief (30 minutes): Discuss with the group what worked well and where there was uncertainty. Typical findings: the card wasn't within reach, the steps were unclearly worded, employees didn't know the emergency card existed.
Implementing Findings
The results of the tabletop exercise feed directly into improving the emergency card. If employees don't understand the instruction "unplug the network cable" because they don't have a network cable (WiFi only), the card needs to be adjusted. If the emergency number is too long to memorize, a short internal extension is needed. If the "DO NOT" rules weren't understood, they need clearer wording.
Plan at least one tabletop exercise per year that includes the emergency card. The effort is minimal, and the insights are regularly surprisingly valuable.
Checklist: Creating and Distributing the Emergency Card
To wrap up, a compact checklist you can use for creating and rolling out your IT emergency card:
Create content:
- Define emergency number (one number, available 24/7)
- Write the "When is it an IT emergency?" definition
- Define immediate actions (3 to 5 steps)
- Define "DO NOT" rules
- Define reporting information
- Create technical emergency card for IT team
- Check consistency with incident response plan
Design and production:
- Create layout (DIN A5 for general, DIN A4 for IT team)
- Large, clear font, signal colors
- Print and laminate (sufficient quantity plus spares)
- Print version number and review date
Distribution:
- Personal handover to all employees
- Post in meeting rooms and common areas
- Make digital version available on intranet
- Integrate into onboarding process
- Cover in next awareness training
Maintenance:
- Schedule quarterly contact information checks
- Define immediate updates for personnel changes
- Schedule annual full review in calendar
- Document replacement process for outdated cards
- Plan tabletop exercise with emergency card
The Simplest Measure with the Greatest Impact
Of all emergency management measures, the emergency card probably has the best cost-benefit ratio. Creating it takes half a day, printing costs a few euros per copy, and the impact in an actual emergency can mean the difference between rapid containment and uncontrolled spread of an attack.
The 45 minutes the employee from the example at the beginning of this article lost because they didn't know who to call are an eternity in a ransomware situation. Network propagation, encryption of additional systems, data exfiltration — all of this can happen in 45 minutes. An emergency card would have reduced that time to just a few minutes. In ISMS Lite, emergency cards, contact lists, and incident response plans can be managed centrally and automatically updated when personnel changes occur.
Create the card, laminate it, distribute it, train on it, and keep it current. Done. It's not rocket science, but it works — precisely when it matters most.
Further Reading
- Incident-Response-Plan erstellen: Aufbau und Praxisbeispiel
- Ransomware-Angriff: Sofortmaßnahmen für die ersten 24 Stunden
- Wiederanlaufplan erstellen: Systeme nach einem Ausfall wiederherstellen
- Notfallhandbuch IT: Aufbau, Inhalte und Pflege
- Tabletop-Übung planen und durchführen: So testest du deinen Notfallplan
Print the card, laminate it, and place it at every workstation. It takes an afternoon and costs almost nothing. But when it matters — when the screen suddenly shows an extortion message — the laminated card next to the monitor may be the most valuable piece of paper in the entire organization.