Incident Management Process
Diagram
flowchart TB
PP[Planning & Preparation] --> DR[Detection & Reporting]
DR --> AD[Assessment & Decision]
AD --> RS[Response]
RS --> LL[Lessons Learned]
LL --> PPProcess Steps
Planning & Preparation
Effective incident response starts long before an incident occurs. This phase establishes your incident response policy, defines roles and responsibilities, and ensures the team has the tools and contact information needed to act quickly. Regular testing through tabletop exercises ensures everyone knows their role when it matters.
Detection & Reporting
Incidents can only be managed if they're identified and reported promptly. This phase covers the technical controls that detect anomalies (logging, monitoring, alerting) and the human processes that encourage staff to report suspicious activity without hesitation. Clear reporting channels (and a culture that doesn't punish false positives) are essential.
Assessment & Decision
Not every alert is an incident, and not every incident requires the same response. This phase involves triaging reported events, categorising their severity and potential impact, and deciding whether to escalate. The goal is consistent, defensible decision-making under pressure, guided by predefined criteria rather than gut instinct.
Response
Once an incident is confirmed, the focus shifts to containment, eradication, and recovery. Containment limits the blast radius, eradication removes the threat, and recovery restores normal operations. Throughout, evidence preservation and clear communication with stakeholders are as important as the technical remediation itself.
Lessons Learned
Every incident (whether major or minor) is an opportunity to improve. This phase captures what happened, what worked, what didn't, and what changes are needed to prevent recurrence. The output should feed directly into updated procedures, controls, and training, closing the loop back to Planning & Preparation.