Cyberattacks are increasingly affecting the safe operation of critical infrastructure (e.g., energy, manufacturing) and potentially endangering production, people, equipment, and the environment. A cyber-incident with physical consequences requires personnel responsible for aggregating log information, analyzing root cause (i.e., cybersecurity), and ensuring the production and safe operation of safety-critical systems (i.e., safety) to collaborate. For this, they must understand their own and each other’s roles in the incident response process, as well as when and how to interact with different roles. To address this problem, this paper proposes a framework that utilizes a model-based approach to illustrate the critical roles and their interactions within a security-safety incident response plan. To demonstrate its applicability, the framework was applied in a qualitative study within the Norwegian oil and gas industry, involving two companies. This research sheds light on the relevance of applying a model-based approach to developing security and safety incident response plans for organizations. It investigates the relevance of using two modeling languages: a general-purpose software systems modeling language, the Unified Modeling Language (UML), and an enterprise process workflow modeling language, the Business Process Modeling Notation (BPMN), for visualizing the security-safety incident response plan. The findings indicate that the modeling languages are suitable and relevant for understanding and discussing the collaboration and coordination of different personnel’s roles during security-safety incident response. The distinct diagrams highlight various aspects, including roles, transmitted information, tasks, and the sequence of tasks. Future work should consider how the diagrams can be applied during the training and learning of the incident response plans.