Incident Report Form
| Property | Value |
|---|---|
| Document ID | TPL-003 |
| Version | 1.0 |
| Status | Draft |
| Owner | Security Team |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC7.3, CC7.4 / ISO 27001: A.5.24-A.5.28 |
1. Purpose
This form documents security incidents from initial detection through resolution and closure. Complete documentation supports investigation, regulatory compliance, and lessons learned.
2. When to Use
Report immediately when you observe or suspect:
- Unauthorized access to systems or data
- Malware or ransomware
- Phishing attempts (especially if credentials submitted)
- Data breach or data loss
- System compromise
- Policy violations
- Suspicious activity
3. Incident Report Form
Section A: Initial Report (Complete Immediately)
| Field | Value |
|---|---|
| Incident ID | INC-[YYYY]-[XXX] (assigned by Security) |
| Date/Time Detected | _________________________________ |
| Date/Time Reported | _________________________________ |
| Reporter Name | _________________________________ |
| Reporter Contact | _________________________________ |
| Reporter Department | _________________________________ |
Section B: Incident Classification
Incident Category (select one):
| Category | Description | ☐ |
|---|---|---|
| Malware/Ransomware | Virus, trojan, ransomware | ☐ |
| Phishing | Email-based social engineering | ☐ |
| Unauthorized Access | Access without permission | ☐ |
| Data Breach | Unauthorized data disclosure | ☐ |
| Data Loss | Accidental deletion/loss | ☐ |
| Denial of Service | Service disruption attack | ☐ |
| Insider Threat | Malicious or negligent insider | ☐ |
| Physical Security | Unauthorized physical access | ☐ |
| Third-Party | Vendor or partner incident | ☐ |
| Policy Violation | Internal policy breach | ☐ |
| Other | _________________________ | ☐ |
Initial Severity (select one):
| Severity | Description | ☐ |
|---|---|---|
| Critical (P1) | Active breach, significant data loss, business-impacting | ☐ |
| High (P2) | Potential breach, significant threat, limited impact | ☐ |
| Medium (P3) | Security violation, policy breach, contained threat | ☐ |
| Low (P4) | Suspicious activity, minor violation, informational | ☐ |
Section C: Incident Description
What happened? (Describe what you observed or what was reported)
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
When did it happen? (Date, time, duration)
_____________________________________________________________________________
_____________________________________________________________________________
Where did it happen? (Systems, locations, networks affected)
_____________________________________________________________________________
_____________________________________________________________________________
Who is involved? (Users, accounts, IP addresses, if known)
_____________________________________________________________________________
_____________________________________________________________________________
What data/systems are affected? (Be specific)
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Section D: Immediate Actions Taken
| # | Action | By | Date/Time |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 3 | |||
| 4 |
Section E: Evidence Collected
| Evidence Type | Description | Location | Collected By | Date |
|---|---|---|---|---|
| Screenshot | ||||
| Log files | ||||
| System image | ||||
| Other |
Note: Do NOT modify or delete any evidence. Preserve everything in its current state.
4. Incident Investigation Section
Completed by Security Team
Section F: Investigation Details
| Field | Value |
|---|---|
| Assigned Investigator | _________________________________ |
| Investigation Start | _________________________________ |
| Investigation Complete | _________________________________ |
Root Cause Analysis:
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Attack Vector / Entry Point:
_____________________________________________________________________________
_____________________________________________________________________________
Timeline of Events:
| Date/Time | Event |
|---|---|
| Initial compromise / incident start | |
| Detection | |
| Escalation | |
| Containment | |
| Eradication | |
| Recovery | |
| Closure |
Section G: Impact Assessment
Data Impact:
| Question | Answer |
|---|---|
| Was data accessed? | Yes / No / Unknown |
| Was data exfiltrated? | Yes / No / Unknown |
| Data classification level | Public / Internal / Confidential / Restricted |
| Number of records | _____________ |
| Type of data | _____________ |
| Individuals affected | _____________ |
System Impact:
| Question | Answer |
|---|---|
| Systems affected | _____________ |
| Downtime duration | _____________ |
| Services impacted | _____________ |
Business Impact:
| Impact Type | Description | Estimated Cost |
|---|---|---|
| Financial | $ | |
| Operational | ||
| Reputational | ||
| Regulatory | ||
| Legal |
Section H: Containment & Eradication
Containment Actions:
| # | Action | Status | Completed By | Date |
|---|---|---|---|---|
| 1 | ||||
| 2 | ||||
| 3 |
Eradication Actions:
| # | Action | Status | Completed By | Date |
|---|---|---|---|---|
| 1 | ||||
| 2 | ||||
| 3 |
Section I: Recovery
Recovery Actions:
| # | Action | Status | Completed By | Date |
|---|---|---|---|---|
| 1 | ||||
| 2 | ||||
| 3 |
Verification:
- Systems restored to normal operation
- Affected credentials reset
- Monitoring in place for recurrence
- Business processes resumed
5. Notifications & Reporting
Section J: Internal Notifications
| Stakeholder | Notified | Date | Method |
|---|---|---|---|
| CISO | Yes / No | ||
| Executive Team | Yes / No | ||
| Legal | Yes / No | ||
| HR | Yes / No | ||
| Communications | Yes / No | ||
| Affected Business Units | Yes / No |
Section K: External Notifications
| Recipient | Required | Notified | Date | Method |
|---|---|---|---|---|
| Regulatory Authority (GDPR) | Yes / No | Yes / No / N/A | ||
| Affected Individuals | Yes / No | Yes / No / N/A | ||
| Law Enforcement | Yes / No | Yes / No / N/A | ||
| Cyber Insurance | Yes / No | Yes / No / N/A | ||
| Customers/Partners | Yes / No | Yes / No / N/A |
6. Post-Incident Review
Section L: Lessons Learned
What worked well?
_____________________________________________________________________________
_____________________________________________________________________________
What could be improved?
_____________________________________________________________________________
_____________________________________________________________________________
Recommended Improvements:
| # | Improvement | Owner | Target Date | Status |
|---|---|---|---|---|
| 1 | ||||
| 2 | ||||
| 3 |
Section M: Incident Closure
| Field | Value |
|---|---|
| Final Severity | P1 / P2 / P3 / P4 |
| Closure Date | _________________________________ |
| Closed By | _________________________________ |
| Total Duration | _________________________________ |
| Post-Incident Review Date | _________________________________ |
Closure Approval:
| Role | Name | Signature | Date |
|---|---|---|---|
| Incident Commander | |||
| CISO (P1/P2) |
7. Attachments Checklist
- Timeline document
- Evidence inventory
- Communication records
- Technical analysis report
- Post-incident review minutes
- Remediation tickets
8. Quick Reference: Incident Severity
| Severity | Examples | Response Time | Escalation |
|---|---|---|---|
| P1 Critical | Ransomware, confirmed breach, major outage | 15 min | CISO, Executive, Legal |
| P2 High | Malware, privilege escalation, targeted attack | 1 hour | CISO, IT Lead |
| P3 Medium | Phishing click, policy violation, suspicious access | 4 hours | Security Lead |
| P4 Low | Spam, failed attacks, vulnerability discovered | 24 hours | Security Team |
9. Related Documents
- Incident Response Policy (POL-008)
- Incident Response Playbook (PROC-005)
- Evidence & Audit Log Tracker (RISK-005)
10. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.