INC-008 Post-Incident Review
Description
A post-incident review is conducted following every significant incident. The review identifies root causes, assesses the effectiveness of the response, and produces documented recommendations. Corrective actions are tracked to completion. Lessons learned are incorporated into the Incident Response Plan and relevant controls.
Rationale
Incidents that do not produce learning repeat themselves. A structured post-mortem process is the feedback loop that drives continuous improvement of the security programme.
Framework Mappings (4)
| SEF-09 | Incident Records Management | partial |
| 5.27 | Learning from information security incidents | full |
| IR-4 | Incident Handling | partial |
| CC7.5 | Identifies, Develops, and Implements Activities to Recover from Identified Security Incidents | partial |
Evidence (2)
Post-incident review reports for significant incidents, documenting root cause analysis, response effectiveness, and corrective action recommendations.
Example: Post-incident review report or post-mortem document for the last two significant incidents, showing timeline, root cause analysis, contributing factors, response gaps, corrective actions raised, and owners assigned
Test: Request post-incident review reports for the last two significant incidents. Verify: (1) a structured review was conducted for each significant incident; (2) reports include a root cause determination; (3) corrective actions are specific, assigned to named owners, and have due dates; (4) recommendations from prior reviews were incorporated into the IRP or relevant controls.
Corrective action tracking records showing post-incident recommendations were assigned, tracked, and completed.
Example: Jira or equivalent project management records showing corrective action items raised from post-incident reviews, with assignee, due date, and closure evidence (linked to a control update, runbook revision, or configuration change)
Test: Request the corrective action register for post-incident recommendations from the last 12 months. Verify: (1) all significant recommendations are captured as tracked items; (2) items have a named owner and target completion date; (3) completed items show closure evidence (e.g., updated policy, configuration change, runbook revision); (4) overdue items have a documented explanation or revised timeline.
Questions (2)
Is a post-incident review conducted following every significant incident, producing documented root cause analysis, corrective action recommendations, and tracked remediation that feeds back into the Incident Response Plan?
Post-incident reviews should be conducted within a defined timeframe after the incident is closed (e.g. within 5 business days for high-severity incidents). Corrective actions must be assigned to named owners with due dates.
What is the defined timeframe for completing a post-incident review following a high-severity security incident?
5 business days is a widely accepted target for high-severity incidents. Reviews conducted more than 30 days after closure risk losing context and reducing the quality of root cause analysis.