IG2 IG3

Conduct Post>Incident Reviews

Control Group: 17. Incident Response Management

Asset Type: N/A

Security Function: Recover

Description

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action.

Implementation Checklist

1

Define recovery objectives (RTO/RPO)

2

Implement recovery capabilities and procedures

3

Test recovery procedures on a regular schedule

4

Document recovery procedures and contact information

5

Develop incident response plan and playbooks

6

Define roles, escalation paths, and communication channels

7

Conduct tabletop exercise to validate plan

8

Establish post-incident review process

Tool Recommendations

Palo Alto Cortex XSOAR Gartner MQ Leader, SOAR 2024; Forrester Wave Leader 2024

Security orchestration, automation, and response platform with playbook automation and case management

Palo Alto Networks · Enterprise subscription

Splunk SOAR Gartner MQ Leader, SIEM 2024 (integrated SOAR)

Security orchestration and automated response platform with playbooks, case management, and 350+ integrations

Cisco (Splunk) · Event-based subscription

ServiceNow Security Operations Gartner MQ Leader, ITSM 2024; Forrester Wave Leader, Security Operations 2023

Security incident response and vulnerability response with orchestration, workflow automation, and CMDB integration

ServiceNow · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Recurrence of Previously Experienced Incident Type

Confidentiality

The organization suffers the same type of security incident repeatedly because no post-incident review was conducted to identify root causes and implement corrective actions after the first occurrence.

Same Attack Vector Exploited by Different Threat Actors

Integrity

Multiple threat actors exploit the same vulnerability or attack path because the organization never conducted a post-incident review to close the gap after the initial compromise.

Vulnerabilities (When Safeguard Absent)

No Post-Incident Review Process

Without post-incident reviews, the organization does not identify lessons learned, root causes, or corrective actions after security incidents, resulting in repeated exposure to the same attack vectors.

No Follow-Up Action Tracking from Incidents

Absence of post-incident reviews means remediation actions identified during incident response are not formally documented or tracked to completion, allowing identified weaknesses to persist.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Recovery plan documentation	Reviewed annually
Record	Recovery test results and lessons learned	Tested quarterly
Document	Incident response plan and playbooks	Reviewed bi-annually
Record	Incident reports and post-incident review documentation	Per incident
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Incident Response Policy

Control 17

Related Safeguards in Control 17

17.1 Designate Personnel to Manage Incident Handling

17.2 Establish and Maintain Contact Information for Reporting Security Incidents

17.3 Establish and Maintain an Enterprise Process for Reporting Incidents

17.4 Establish and Maintain an Incident Response Process

17.5 Assign Key Roles and Responsibilities

17.6 Define Mechanisms for Communicating During Incident Response

17.7 Conduct Routine Incident Response Exercises

17.9 Establish and Maintain Security Incident Thresholds