What is incident management?
Incident Management is the process that your business follows in order to identify, respond to, manage, and recover from incidents related to information security and cybersecurity. Most security and compliance frameworks, such as SOC 2 and ISO 27001, require a business to have a formal incident management process, as well as evidence that this process is followed when an incident occurs.
An incident is any event that could compromise the confidentiality, integrity, and availability of your systems, data, or services. This can include, but is not limited to:
Unauthorised access or data breach
Malware/ransomware attacks
Accidental data loss or sharing
System outages or disruptions to the services you provide
Abnormal or suspicious user activity
Proper incident management ensures that your business can respond quickly and effectively to these types of threats, minimising damage, and allowing you to learn from the experience. A normal incident management process typically includes:
Preparation
Develop an incident response policy
Outline necessary roles, responsibilities, and escalation routes
Make employees aware of correct procedure through training
Implement preventative measures such as security controls and monitoring systems
Incident Identification
Monitor systems and networks for suspected incidents
Follow proper procedure to validate whether an incident is taking place
Escalate the incident based on the potential impact and severity
Assessment & Containment
Assess the scope and impact of the incident
Take immediate steps to contain the threat and prevent further damage
Eradication & Recovery
Remove the cause of the incident (e.g. malware, compromised accounts)
Restore impacted systems and validate they are safe/secure to use.
Monitor systems for recurrence
Post-Incident Review
Conduct a 'lessons learned' session to reflect on the incident
Update policies, procedures, or training as needed
Document the incident thoroughly for internal review or audit purposes.
(Sources: ServiceNow, CrowdStrike, Cyber Management Alliance)
An incident is any event that could compromise the confidentiality, integrity, and availability of your systems, data, or services. This can include, but is not limited to:
Unauthorised access or data breach
Malware/ransomware attacks
Accidental data loss or sharing
System outages or disruptions to the services you provide
Abnormal or suspicious user activity
Proper incident management ensures that your business can respond quickly and effectively to these types of threats, minimising damage, and allowing you to learn from the experience. A normal incident management process typically includes:
Preparation
Develop an incident response policy
Outline necessary roles, responsibilities, and escalation routes
Make employees aware of correct procedure through training
Implement preventative measures such as security controls and monitoring systems
Incident Identification
Monitor systems and networks for suspected incidents
Follow proper procedure to validate whether an incident is taking place
Escalate the incident based on the potential impact and severity
Assessment & Containment
Assess the scope and impact of the incident
Take immediate steps to contain the threat and prevent further damage
Eradication & Recovery
Remove the cause of the incident (e.g. malware, compromised accounts)
Restore impacted systems and validate they are safe/secure to use.
Monitor systems for recurrence
Post-Incident Review
Conduct a 'lessons learned' session to reflect on the incident
Update policies, procedures, or training as needed
Document the incident thoroughly for internal review or audit purposes.
(Sources: ServiceNow, CrowdStrike, Cyber Management Alliance)
Updated on: 25/04/2025
Thank you!