Use: complete after every verified P0/P1 (and any incident warranting RCA). Owner: Incident Manager (CISO/CTO). File in the Linear “Security Incidents” project + SharePoint evidence library. Frameworks: SOC 2 IRO-3 (incident management); supports CC7.4/CC7.5; ISO 27001 A.5.27 (learning from incidents). Vanta slot: incident-report-example.
Fill after the incident — factual, no fabrication. Replace every variable.

Incident summary

  • Incident ID: {{incident_id}} · Severity: {{severity}} · Status: {{status}}
  • Detected: {{detected_timestamp_source}} · Declared: {{declared_timestamp}} · Resolved: {{resolved_timestamp}}
  • Incident Manager: {{incident_manager_name}} · Responders: {{responder_names}}
  • Summary: {{incident_summary}}

Impact

  • Systems / data affected: {{systems_data_affected}}
  • Customers / data subjects affected: {{customers_affected}}
  • Confidentiality / integrity / availability impact: {{cia_impact}}
  • Breach determination: {{breach_determination}}

Timeline

TimeEvent / action
{{timeline_time}}{{timeline_event}}

Root-cause analysis

  • Immediate cause: {{immediate_cause}}
  • Root cause (5 Whys / contributing factors): {{root_cause}}
  • Why detection/response did or didn’t work as designed: {{detection_response_assessment}}

Corrective & preventive actions

ActionType (correct / prevent)OwnerDueTracked in
{{action}}{{action_type}}{{action_owner}}{{action_due}}Corrective Action

Sign-off

  • Incident Manager: {{incident_manager_name}} · {{incident_manager_date}} · CEO/GC (breach determination): {{breach_approver_name}} · {{breach_approver_date}}

Variables

VariableDescription
{{incident_id}}Linear reference for the incident
{{severity}}Incident severity (e.g., P0/P1/P2)
{{status}}Current status (e.g., resolved/monitoring)
{{detected_timestamp_source}}When and how the incident was detected (timestamp / source)
{{declared_timestamp}}Timestamp the incident was declared
{{resolved_timestamp}}Timestamp the incident was resolved
{{incident_manager_name}}Name of the Incident Manager
{{responder_names}}Names of the responders
{{incident_summary}}What happened, in 2–3 sentences
{{systems_data_affected}}Systems / data affected
{{customers_affected}}Customers / data subjects affected (count / categories, or none)
{{cia_impact}}Confidentiality / integrity / availability impact
{{breach_determination}}Breach determination by CEO + GC — breach? Y/N; notification obligations
{{timeline_time}}Timeline entry — time
{{timeline_event}}Timeline entry — event / action
{{immediate_cause}}Immediate cause
{{root_cause}}Root cause (5 Whys / contributing factors)
{{detection_response_assessment}}Why detection/response did or didn’t work as designed
{{action}}Corrective / preventive action
{{action_type}}Action type (correct / prevent)
{{action_owner}}Action owner
{{action_due}}Action due date
{{incident_manager_date}}Date the Incident Manager signed off
{{breach_approver_name}}Name of the CEO/GC making the breach determination
{{breach_approver_date}}Date of the breach-determination sign-off

Cross-references