This article provides additional information on how you can meet the requirement for the CAF control – D2.b Using Incidents to Drive Improvements.
Documented Incident Review Process
- A documented incident review process should be maintained, supported by the organisation’s Incident Management Plan, to ensure lessons learned from every incident and near miss are:
-
captured
-
analysed
-
acted upon
-
- Each review should consider:
-
reporting processes
-
roles and responsibilities
-
technical root causes
-
system vulnerabilities
-
policy or procedural gaps identified during the incident.
-
Incident Review and Remediation Reports
- Following each incident:
-
an incident review and remediation report should be produced
-
improvement actions should be logged and prioritised based on risk and potential impact
-
responsible owners should be assigned to each action
-
high-priority improvements should be addressed promptly
-
- Changes may include:
-
updated controls
-
revised procedures
-
retesting parts of the incident response plan.
-
Sharing Insights and Enhancing Governance
-
Insights from incident reviews should be shared with senior management.
-
Findings should feed into broader risk management and continuous improvement activities.
Learning from External Incidents
Where relevant, broader industry incidents — particularly those affecting MSPs — should be reviewed to help identify trends or emerging risks.
Strengthening Security Posture
This structured approach ensures that every incident contributes to measurable improvements in the organisation’s security posture and operational resilience.