Incident Management

Complete template

Need a complete template of this directive customized for your organization? Learn more ->

Version: 1.0 | Effective from: 1 January 2026

---

1. Purpose

This directive defines the process for managing security incidents, including detection, response, notification, and recovery.

---

2. Incident Definition

2.1 Incident types

Type	Examples	Regulation
Data Breach	Data leak, unauthorized access	GDPR
Security Incident	Malware, ransomware, intrusion	NIS2
AI Incident	Bias, hallucination, malfunction	AI Act
Availability	DDoS, system failure	NIS2
Compliance	Policy violation	Internal

2.2 Severity Classification

Severity	Definition	Response Time	Escalation
Critical	Business critical impact, data breach	<1h	CEO + Board
High	Significant impact, potential breach	<4h	C-level
Medium	Limited impact, contained	<24h	Management
Low	Minimal impact, no data at risk	<72h	Team lead

---

3. Incident Response Team (IRT)

3.1 Team composition

Role	Primary	Backup
Incident Commander	CISO	IT Director
Technical Lead	Security Engineer	SRE Lead
Communications	PR Manager	CEO
Legal	CLO	External counsel
DPO	DPO	Privacy consultant
Business	COO	Department head

3.2 Contact information

CONTACT INFORMATION

• INCIDENT HOTLINE: [PLACEHOLDER]
• EMAIL: security@company.com
• SLACK: #incident-response

On-call rotation:

Week	Contact
Week 1	[Name 1]
Week 2	[Name 2]
Week 3	[Name 3]
Week 4	[Name 4]

---

4. Incident Response Process

4.1 Response phases

---

5. Notification Requirements

5.1 Internal Notification

Severity	Notify	Timeline
Critical	CEO, Board, All C-level	Immediate
High	CISO, CTO, relevant C-level	<1h
Medium	CISO, Team leads	<4h
Low	CISO	<24h

5.2 External Notification (Regulatory)

Regulation	Authority	Timeline	Trigger
GDPR	National DPA	72h	Personal data breach
NIS2	National CSIRT	24h (initial), 72h (full)	Significant incident
AI Act	—	Document	AI incident

5.3 Notification Templates

Initial Notification (24h) — National CSIRT:

• Incident ID
• Detection time
• Affected systems
• Initial assessment
• Containment status
• Contact info

Full Report (72h) — National DPA:

• Nature of breach
• Categories of data
• Number of subjects
• Likely consequences
• Measures taken
• DPO contact

---

6. Data Breach Specific Process

6.1 Data Breach Assessment

Data Breach Checklist:

• What happened?
• When was it discovered?
• When did it start?
• What data is affected?
• How many data subjects are affected?
• Is the data encrypted?
• Was the key compromised?
• What is the risk to data subjects?
• Is notification required?

6.2 Subject Notification Criteria

Notify data subjects if:

• High risk to rights and freedoms
• Unencrypted sensitive data
• Financial data exposed
• Health data exposed
• Credentials exposed (plaintext)

6.3 Subject Notification Content

• What happened (without technical details)
• What data was affected
• What is the risk
• What we are doing
• What you can do
• DPO contact

---

7. AI Incident Specific Process

7.1 AI Incident Types

Type	Example	Severity
Bias	Discriminatory outputs	High
Hallucination	Factually incorrect	Medium
Privacy leak	PII in outputs	Critical
Malfunction	System not working	Medium
Adversarial	Model manipulation	High

7.2 AI Incident Response

---

8. Communication

8.1 Internal Communication

Audience	Channel	Frequency
IRT	War room / Slack	Continuous
Management	Email + call	Every 4h (critical)
Employees	Email	As needed

8.2 External Communication

Audience	Responsibility	Approval
Regulators	DPO / CISO	CLO
Customers	PR + CS	CEO
Media	PR	CEO
Partners	Account manager	COO

8.3 Communication Templates

Internal Status Update:

Subject: [INCIDENT-XXX] Status Update #N

Current Status: [ACTIVE/CONTAINED/RESOLVED]
Severity: [CRITICAL/HIGH/MEDIUM/LOW]

Summary: [2-3 sentences]

Timeline:
- [Time]: [Event]
- [Time]: [Event]

Current Actions:
- [Action 1]
- [Action 2]

Next Update: [Time]
Incident Commander: [Name]

---

9. Documentation

9.1 Incident Record

Every incident must contain:

Field	Description
Incident ID	Unique identifier
Detection time	When discovered
Start time	When it started (estimate)
End time	When resolved
Severity	Classification
Type	Data breach / Security / AI
Description	What happened
Impact	What was the impact
Root cause	Cause
Actions taken	What we did
Lessons learned	What to improve
Follow-up actions	Preventive measures

9.2 Retention

Document	Retention
Incident report	5 years
Evidence	5 years
Communication logs	5 years
Forensic reports	5 years

---

10. Post-Incident Review

10.1 Post-Mortem Template

POST-MORTEM: [INCIDENT-XXX]

1. INCIDENT SUMMARY
   - What happened
   - Timeline
   - Impact

2. ROOT CAUSE ANALYSIS
   - What failed
   - Why it failed
   - Contributing factors

3. WHAT WENT WELL
   - Effective responses
   - Good decisions

4. WHAT COULD BE IMPROVED
   - Gaps identified
   - Process issues

5. ACTION ITEMS
   - Preventive measures
   - Process improvements
   - Training needs
   - Tool improvements

6. FOLLOW-UP
   - Owner for each action
   - Deadlines
   - Review date

---

11. Training & Exercises

Exercise	Frequency	Scope
Tabletop exercise	Quarterly	IRT
Phishing simulation	Quarterly	All employees
IR drill	Semi-annually	IRT + IT
Full-scale exercise	Annually	Organization-wide

---

12. Policy Review

• After each incident: Review lessons learned
• Quarterly: Metrics review, process update
• Annually: Full policy review + CISO approval

Next review: Q2 2026