Post-Incident Review Process

Why it matters

Skipped or delayed post-mortems mean your team repeats the same failures—attackers exploit the same weaknesses, detection gaps persist, and you burn through incident response capacity on preventable events. Without documented root causes and action items, you lose the institutional knowledge needed to strengthen your security posture over time.

Evidence to collect

• Post-mortem document from a P1 incident (e.g., PDF, Confluence page, or Google Doc with timeline, root cause, and contributing factors)
• Issue tracker dashboard or export showing action items tied to incident post-mortems, with owner, due date, and completion status
• Incident log or triage record showing P1/P2 classification and post-mortem initiation date relative to incident resolution
• Completed action item with closure evidence (e.g., JIRA ticket with comment and screenshot showing 'Done' status, PR linked, or remediation confirmation)

Testing procedure

Request all P1 and P2 incidents from the past 12 months. For each, verify a written post-mortem was completed within 5 business days of resolution. Confirm the post-mortem includes a timeline with specific timestamps, identified root cause, at least two contributing factors, and action items with named owners and due dates. Spot-check 3–5 action items to verify they were tracked to completion in the issue tracker and closed out with evidence (ticket updated, PR merged, policy version bumped).

Common gotchas