Use: complete after every verified P0/P1 (and any incident warranting RCA). Owner: Incident Manager (CISO/CTO). File in the Linear “Security Incidents” project + SharePoint evidence library. Frameworks: SOC 2 IRO-3 (incident management); supports CC7.4/CC7.5; ISO 27001 A.5.27 (learning from incidents). Vanta slot: incident-report-example.
Fill after the incident — factual, no fabrication. Replace every variable.
Incident summary
- Incident ID: {{incident_id}} · Severity: {{severity}} · Status: {{status}}
- Detected: {{detected_timestamp_source}} · Declared: {{declared_timestamp}} · Resolved: {{resolved_timestamp}}
- Incident Manager: {{incident_manager_name}} · Responders: {{responder_names}}
- Summary: {{incident_summary}}
Impact
- Systems / data affected: {{systems_data_affected}}
- Customers / data subjects affected: {{customers_affected}}
- Confidentiality / integrity / availability impact: {{cia_impact}}
- Breach determination: {{breach_determination}}
Timeline
| Time | Event / action |
|---|
| {{timeline_time}} | {{timeline_event}} |
Root-cause analysis
- Immediate cause: {{immediate_cause}}
- Root cause (5 Whys / contributing factors): {{root_cause}}
- Why detection/response did or didn’t work as designed: {{detection_response_assessment}}
Corrective & preventive actions
| Action | Type (correct / prevent) | Owner | Due | Tracked in |
|---|
| {{action}} | {{action_type}} | {{action_owner}} | {{action_due}} | Corrective Action |
Sign-off
- Incident Manager: {{incident_manager_name}} · {{incident_manager_date}} · CEO/GC (breach determination): {{breach_approver_name}} · {{breach_approver_date}}
Variables
| Variable | Description |
|---|
{{incident_id}} | Linear reference for the incident |
{{severity}} | Incident severity (e.g., P0/P1/P2) |
{{status}} | Current status (e.g., resolved/monitoring) |
{{detected_timestamp_source}} | When and how the incident was detected (timestamp / source) |
{{declared_timestamp}} | Timestamp the incident was declared |
{{resolved_timestamp}} | Timestamp the incident was resolved |
{{incident_manager_name}} | Name of the Incident Manager |
{{responder_names}} | Names of the responders |
{{incident_summary}} | What happened, in 2–3 sentences |
{{systems_data_affected}} | Systems / data affected |
{{customers_affected}} | Customers / data subjects affected (count / categories, or none) |
{{cia_impact}} | Confidentiality / integrity / availability impact |
{{breach_determination}} | Breach determination by CEO + GC — breach? Y/N; notification obligations |
{{timeline_time}} | Timeline entry — time |
{{timeline_event}} | Timeline entry — event / action |
{{immediate_cause}} | Immediate cause |
{{root_cause}} | Root cause (5 Whys / contributing factors) |
{{detection_response_assessment}} | Why detection/response did or didn’t work as designed |
{{action}} | Corrective / preventive action |
{{action_type}} | Action type (correct / prevent) |
{{action_owner}} | Action owner |
{{action_due}} | Action due date |
{{incident_manager_date}} | Date the Incident Manager signed off |
{{breach_approver_name}} | Name of the CEO/GC making the breach determination |
{{breach_approver_date}} | Date of the breach-determination sign-off |
Cross-references