Cybersecurity Incident Report Template | Download (2023)

Ever since we launched our customizable cybersecurity incident report template, I’ve been amazed by its volume of downloads.

I quickly realized that the increasing cyber threats from cyber criminals, malware, and ransomware are being taken seriously by organizations large and small and that there is a growing demand for guidance and information on cybersecurity incident response and reporting., a Slovakian company that provides advanced tools for monitoring online search engine activity, indicates that online searches for the phrases “cybersecurity incident report template” and “cybersecurity incident response” are increasing at a mind-blowing rate year over year.

(Video) Cybersecurity: Episode 8 - Incident report

Cybersecurity Incident Report Template | Download (2)


So, organizations are getting on board with cyber risk, and this is great news. I’ve been writing, tweeting, and giving talks about how to respond to cyber incidents for some time now—and companies are listening. Many are now taking action.

If you’re ready to get on board with properly minimizing the risk to your organization and data during or after a breach, but are not 100% sure of the process—this is the place to start. I’ll provide some procedure resources for handling the cyber incident response process, but let’s start by addressing 4 common questions.

(Video) Cyber Security Incident Response Plan Template | Thycotic

  1. What is incident response?

Incident response is an organization’s reaction to halting and recovering from a cybersecurity incident, and the response plan must be in place before the incident occurs. Incident response is one of the major components to helping an organization become more resilient to cyber attacks.

You may already know a security incident as:

  • An information security incident
  • An IT security incident
  • A network security incident
  • A security breach
  • A data breach
  • A cyber attack
  • A ransomware attack
  • Or, “We’ve been hacked!”

They’re all pretty much cut from the same cloth, and the only good response is to meticulously follow a tailored cyber incident response plan (CIRP) that you have ready to go at a moment’s notice.

The goal of having an incident response plan is to ensure that your organization is fully prepared for, and ready to respond to any level of cybersecurity incident fast and effectively. And today, incidents are inevitable. All that varies is the breadth and depth.

Here’s Gartner’s definition of a CIRP: Also known as a “computer incident response plan,” this is formulated by an enterprise to respond to potentially catastrophic, computer-related incidents, such as viruses or hacker attacks. The CIRP should include steps to determine whether the incident originated from a malicious source — and, if so, to contain the threat and isolate the enterprise from the attacker.

  1. Is there a difference between incident response and incident handling?

Well, yes, although response and handling go hand in hand, and without both, you do not have a sound incident response process. Incident response refers to the technical aspects of incident analysis and containment, whereas incident handling refers to the human responsibilities: the communications, coordination, and cooperation required to see the process through.

  1. What is the incident response life cycle?

The life cycle of a cyber incident is defined by the stages a typical incident goes through, and it includes everything from preparing for an incident to analyzing the lessons you learned after experiencing one. I like this version of the incident response life cycle:

Preparation > Incident Discovery and Confirmation > Containment and Continuity > Eradication > Recovery > Lessons Learned

(Video) CISA Cybersecurity Incident Response Playbook - Episode 1 - An Overview

  1. What are the different types of information security incidents?

There are many types of cybersecurity incidents that can result in intrusions on your organization’s network or full-on data breaches, but I’m going to focus on the six to which I believe organizations are most vulnerable:

  • Phishing attacks: you click on a link in an authentic-looking email and end up giving away sensitive information (like a password), or enabling ransomware or some other malware. Companies are super-vulnerable to phishing attacks because cybercriminals target the weakest links in most companies—its employees—and success rates are high! A more targeted type of phishing attack known as spearfishing occurs when the attacker invests time researching the victim in order to pull off an even more successful attack.
  • Denial-of-service (DoS) attacks: the point of this attack is to shut down an individual machine or entire network so that it cannot respond to service requests. DoS attacks achieve this by inundating the target with traffic or sending it some information that triggers a crash.
  • Man-in-the-middle (MitM) attacks: an outside entity intercepts and alters the communication between two parties who believe they are communicating with each other. By impersonating them both, the attacker manipulates both victims in an effort to gain access to data. The users are blissfully unaware that they are both talking to an attacker. Session hijacking, email hijacking, and Wi-Fi eavesdropping are all examples of MitM attacks.
  • Drive-by attacks: a common method of spreading malware, criminal hackers seek out insecure websites and plant a malicious script into code on one of the pages. The script could install malware onto the computer of someone who visits the site or re-direct the victim to a different site controlled by the hackers.
  • Password attacks: this sort of attack is aimed specifically at obtaining a user or an account’s password. Criminal hackers use a variety of techniques for getting their hands on passwords, such as password-cracking programs, dictionary attacks, password “sniffers”, or brute-force password guessing, often based on some personal knowledge of an individual (like the birthday, dog’s name, etc.) This is why strong passwords are so important.
  • Malware and ransomware attacks: a broad term for any sort of malicious software that’s installed on your system without your consent can be considered malware. You are probably familiar with many types of malware—file infectors, worms, Trojans, ransomware, adware, spyware, logic bombs, and different types of viruses. Some are inadvertently installed when an employee installs freeware or other software, clicks on an ad, or visits an infected website. The possibilities are endless, therefore so are the chances of an employee falling victim to a malware attack.
    Related Materials: Download our Free Guide – Ransomware on the Rise (Best practices to become more resilient so you can avoid being the next ransomware victim).

Industry-specific cybersecurity incident reporting

The incident response process described in the life cycle above is largely the same for all organizations, but the incident reporting procedure varies for certain industries. For example, if you’re in the healthcare industry you may need to observe the HIPAA incident reporting requirements.

These are some industry regulations that have very specific laws around incident reporting, and who they apply to:

HIPPA – if you create, receive, maintain or transmit electronically protected health information

FISMA/NIST – if you’re a Federal agency or government contractor

PCI DSS – if you accept, store, or transmit credit card data

NERC/CIP – if you’re an energy and utility company

SOX – if your organization is a public company (though in some cases private companies must also comply with SOX regulations)

(Video) Building a Cybersecurity Incident Response Plan

NYCRR – if You’re a New York insurance company, bank, or other regulated financial services institution

If your organization must adhere to any of the above regulations, you must familiarize yourself with the incident reporting requirements that might uniquely apply to your industry. Links to helpful industry-specific information can be found in the incident response template.

The template also has:

  • Customization instructions
  • Assembling an incident response team, including IT, compliance, and communications representatives
  • Threat classification
  • A sample cyber Incident
  • Phase of the incident, and the appropriate actions to take at each step (the template ensures you capture all the right information)

As an additional resource, our whitepaper provides a broader incident response strategy.

Incident response is a plan I hope you’ll never need

I talk about the incident response process often, but always with the hope that you’ll never need to report an incident. And as more organizations take steps to protect themselves, become more resilient and recover quickly, I look forward to seeing fewer victims of cybercrime.

In the past few years, Gartner’s number 1 security project is privileged account management (PAM) But like incident response, Cybersecurity has a technical AND a human aspect—employee cyber awareness training is critical to your organization’s security. cybercriminals view employees as the fast track into your company’s network, so security training should be introduced on day one of your new hire orientation process.

No cybersecurity solution is bulletproof

No solution you choose to protect your privileged access, nor any amount of employee training, will guarantee you bullet-proof cybersecurity. After all, the cybercriminal’s ongoing challenge is to stay a step ahead of you. But having a rock-solid incident response procedure in place can minimize the damage—even stop it before it gets a foothold—and save you money, time, and your reputation.


What should be included in a cyber security incident report? ›

Include specific details regarding the system breach, vulnerability, or compromise of your computer and we will respond with a plan for further containment and mitigation.

How should an information security incident be reported answer? ›

Report actual or suspected IT security incidents as soon as possible so that work can begin to investigate and resolve them. If the incident poses any immediate danger, call 911 to contact law enforcement authorities immediately. You can also report IT security incidents within your unit or department.

What are the 6 phases in a cyber incident response plan? ›

Many organisations use NIST's Computer Security Incident Handling Guide as the basis of their incident response plan. It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.

How do I write a security incident report? ›

How to write a security report
  1. Take notes. Details and observations make up the bulk of your security reports. ...
  2. Start with a summary. ...
  3. Detail the narrative. ...
  4. Follow the form. ...
  5. Proofread. ...
  6. Avoid emotional language. ...
  7. Avoid abbreviations and conjunctions. ...
  8. Be prompt.

What is cyber Incident Reporting response? ›

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

What is a cyber security incident response plan? ›

A Cybersecurity Incident Response Plan is a document that gives IT and cybersecurity professionals instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information.

How many types of security incidents and responses are there? ›

Although security incidents are nothing new for businesses across industries, cybersecurity is quickly gaining traction as one of the top concerns for organizations in 2022.

Should companies report cybersecurity incidents or not? ›

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, requires critical infrastructure companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

Why is IT important to report security incidents immediately choose all that apply? ›

Why is it Important to Report Security Incidents? There could be very serious ramifications for failing to so. There could be a significant loss of trust in the business, thus resulting in a loss of revenue. There could be legal implications, such as lawsuits and large fines.

What six points should be included in a report? ›

It should include:
  • the names and positions of the people involved.
  • the names of any witnesses.
  • the exact location and/or address of the incident.
  • the exact time and date of the occurrence.
  • a detailed and clear description of what exactly happened.
  • a description of the injuries.
24 Aug 2022

What are the six main ingredients in a security report? ›

What Is a Security Report?
  • The date and time of the incident.
  • The location of the incident, including address.
  • The type of incident, and a detailed account of what happened.
  • Names of any victims including their injuries.
  • Names of any witnesses, along with their accounts of what happened.
15 Jul 2019

What is included in an incident report? ›

An incident report is a tool that documents any event that may or may not have caused injuries to a person or damage to a company asset. It is used to capture injuries and accidents, near misses, property and equipment damage, health and safety issues, security breaches and misconducts in the worksite.

What are the 5 6 major stages of incident response? ›

The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.

Which one is most important aspect of incident response? ›

Detection. One of the most important steps in the incident response process is the detection phase. Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.

How do you write an incident response plan? ›

Developing and implementing an incident response plan will help your business handle a data breach quickly and efficiently while minimizing the damage.

What are the 7 steps in incident response? ›

Understanding the Theory Behind Incident Response
  1. Preparation.
  2. Threat Detection.
  3. Containment.
  4. Investigation.
  5. Eradication.
  6. Recovery.
  7. Follow-Up.
29 Mar 2022

What makes a good incident response plan? ›

Incident response planning typically includes:

Procedures for each phase of the incident response process. Communication procedures within the incident response team, with the rest of the organization, and external stakeholders. How to learn from previous incidents to improve the organization's security posture.

What five phases should be covered in the incident response policy? ›

Preparation. Detection and analysis. Containment, eradication and recovery. Post-incident activity.

Do you need an incident response plan? ›

Incident response planning is important because it outlines how to minimize the duration and damage of security incidents, identifies stakeholders, streamlines digital forensics, improves recovery time, reduces negative publicity and customer churn.

What is the NIST incident response framework? ›

The NIST incident response process is a cyclical activity featuring ongoing learning and advancements to discover how to best protect the organization. It includes four main stages: preparation, detection/analysis, containment/eradication, and recovery.

How do you manage cyber security incidents? ›

Recommended phases of an incident management plan:
  1. Preparation. Provide incident management tools and processes. ...
  2. Analysis and Identification. Deciding whether a security incident has occurred. ...
  3. Containment. Contain the spread of the incident and prevent further damage. ...
  4. Eradication. ...
  5. Recovery. ...
  6. Lessons Learned.

Should companies report cybersecurity incidents or not? ›

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, requires critical infrastructure companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

How do I report cyber issues? ›

Contact Your Local FBI Field Office. If you or your organization is the victim of a network intrusion, data breach, or ransomware attack, contact your nearest FBI field office or report it at

What constitutes a security incident? ›

An occurrence that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

How you might report a breach of online security? ›

Report a company for breach of data protection by making a complaint to the ICO. In cases where your personal data has not been affected by the breach, you can make a complaint to the ICO and trust them to look further into the case.

Why should you immediately report a cybersecurity incident? ›

Why is it Important to Report Security Incidents? There could be very serious ramifications for failing to so. There could be a significant loss of trust in the business, thus resulting in a loss of revenue. There could be legal implications, such as lawsuits and large fines.

Why is IT important to report security incident immediately? ›

Reporting IT security incidents immediately gives us the best chance of identifying what occurred and remediating it before IT resources can be fully exploited. If you suspect or observe that an IT security incident has occurred, report it immediately.

Why is cyber incident reporting important? ›

Timely cyber incident reporting allows CISA to rapidly deploy resources and render assistance to victims suffering attacks, identify emerging threats and trends, and quickly share threat information with federal partners and network defenders to take protective action and warn other potential victims.

When should you report a cyber incident? ›

In particular, a cyber incident should be reported if it: May impact national security, economic security, or public health and safety. Affects core government or critical infrastructure functions. Results in a significant loss of data, system availability, or control of systems.

What is the most common cause of a security incident? ›

Phishing is still the leading cause of security incidents.

Why should Cybersecurity issues be reported promptly? ›

For example, reporting an incident allows individuals to look out for suspicious activity, such as money disappearing from their bank accounts, and enables them to take steps to protect themselves. Notification also helps other organisations prepare for similar attacks.

What is the difference between an event and an incident? ›

Events and Incidents Comparison Summary

an event is raised to indicate a happening on the network or in Entuity. an incident indicates the persistence of an event, and can be called, amended and closed by more than one type of event.

How do you manage cyber security incidents? ›

Recommended phases of an incident management plan:
  1. Preparation. Provide incident management tools and processes. ...
  2. Analysis and Identification. Deciding whether a security incident has occurred. ...
  3. Containment. Contain the spread of the incident and prevent further damage. ...
  4. Eradication. ...
  5. Recovery. ...
  6. Lessons Learned.

Which of the following is not a security incident? ›

Basis approval, sharing access controlled Infosys process document with the Client manager are not security incidents.

What are the 3 categories of personal data breaches? ›

Personal data breaches can include:
  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and.

What is an example of a data breach? ›

An example would be an employee using a co-worker's computer and reading files without having the proper authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized person, the data is considered breached.

How do I report a security breach in a company? ›

  1. Contain the incident.
  2. Identify and analyse any data that may have been breached.
  3. Contact affected parties promptly, outline potential risks and action to be taken.
  4. Report the breach to regulatory and industry bodies.


1. SOC 101: Real-time Incident Response Walkthrough
2. Create your own incident communication plan: Incident templates
3. 2022 Nonprofit Cybersecurity Incident Report
(Community IT Innovators)
4. How to Get Started with Cybersecurity Incident Response
(Phriendly Phishing)
5. Security Awareness Training: Incident Reporting
(Terranova Security)
6. 2021 Nonprofit Cybersecurity Incident Report
(Community IT Innovators)
Top Articles
Latest Posts
Article information

Author: Mr. See Jast

Last Updated: 04/01/2023

Views: 6045

Rating: 4.4 / 5 (55 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Mr. See Jast

Birthday: 1999-07-30

Address: 8409 Megan Mountain, New Mathew, MT 44997-8193

Phone: +5023589614038

Job: Chief Executive

Hobby: Leather crafting, Flag Football, Candle making, Flying, Poi, Gunsmithing, Swimming

Introduction: My name is Mr. See Jast, I am a open, jolly, gorgeous, courageous, inexpensive, friendly, homely person who loves writing and wants to share my knowledge and understanding with you.