Articles on: Compliance

What is incident management?

Incident Management is the process that your business follows in order to identify, respond to, manage, and recover from incidents related to information security and cybersecurity. Most security and compliance frameworks, such as SOC 2 and ISO 27001, require a business to have a formal incident management process, as well as evidence that this process is followed when an incident occurs.


An **incident **is any event that could compromise the confidentiality, integrity, and availability of your systems, data, or services. This can include, but is not limited to:


  • Unauthorised access or data breach
  • Malware/ransomware attacks
  • Accidental data loss or sharing
  • System outages or disruptions to the services you provide
  • Abnormal or suspicious user activity


Proper incident management ensures that your business can respond quickly and effectively to these types of threats, minimising damage, and allowing you to learn from the experience. A normal incident management process typically includes:


  1. Preparation
  • Develop an incident response policy
  • Outline necessary roles, responsibilities, and escalation routes
  • Make employees aware of correct procedure through training
  • Implement preventative measures such as security controls and monitoring systems


  1. Incident Identification
  • Monitor systems and networks for suspected incidents
  • Follow proper procedure to validate whether an incident is taking place
  • Escalate the incident based on the potential impact and severity


  1. Assessment & Containment
  • Assess the scope and impact of the incident
  • Take immediate steps to contain the threat and prevent further damage


  1. Eradication & Recovery
  • Remove the cause of the incident (e.g. malware, compromised accounts)
  • Restore impacted systems and validate they are safe/secure to use.
  • Monitor systems for recurrence


  1. Post-Incident Review
  • Conduct a 'lessons learned' session to reflect on the incident
  • Update policies, procedures, or training as needed
  • Document the incident thoroughly for internal review or audit purposes.


(Sources: ServiceNow, CrowdStrike, Cyber Management Alliance)

Updated on: 25/04/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!