Holding a Post-Incident Review



Updated October 9, 2023
Now Available
Security for Everyone

A post-incident review should be held after every incident, preferably within two weeks of the main event. This ensures that things are still fresh in people’s minds and that you don’t end up reviewing one incident while handling another.

Everyone involved with an incident should be included in the post-incident review. This may include representatives from external stakeholders and customers where appropriate. A high-level summary of lessons learned and changes made should be added to the customer view of the incident documentation.

Documenting Incidents and Disasters

All incidents should be documented. This documentation serves as a historical record of the incident and the activities resulting from it.

Documentation should contain at a minimum:

  • a timeline of events

  • You’re reading a preview of an online book. Buy it now for lifetime access to expert knowledge, including future updates.
If you found this post worthwhile, please share!