UnixTime

Research Note

Incident Management Plan

Use this to define how information security events, weaknesses, and incidents are reported, triaged, investigated, escalated, recovered from, reviewed, and improved.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this to define how information security events, weaknesses, and incidents are reported, triaged, investigated, escalated, recovered from, reviewed, and improved.

Process checklist

  • Event and weakness reporting route defined.
  • Incident classification levels defined.
  • Triage process defined.
  • Escalation criteria defined.
  • Investigation process defined.
  • Containment and eradication steps defined.
  • Recovery coordination defined.
  • Communications process defined.
  • Evidence preservation expectations defined.
  • Legal/privacy/regulatory notification assessment defined.
  • Post-incident review defined.
  • Corrective action link defined.
  • Supplier/cloud incident integration defined.
  • Exercise/tabletop schedule defined.

Incident record fields

Field Notes
Incident ID
Report date/time
Reporter
Affected asset/service
Classification/severity
Incident manager
Business owner
Initial impact
Actions taken
Evidence preserved
Recovery status
Lessons learned
Corrective actions