Post-Incident Review Procedure ([RES-PROC-003])

1. Purpose

To outline the process for conducting a formal ‘lessons learned’ review after a significant incident is resolved and for tracking resulting action items to completion.

2. Scope

This procedure applies to all major information security incidents as determined by the Incident Commander.

3. Overview

This procedure ensures that after a significant incident, a formal review is conducted to analyze the response, identify improvements, update documentation, and track corrective actions to enhance future incident response capabilities.

4. Procedure

Step	Who	What
1	Incident Commander	Schedule a formal post-incident review meeting within two weeks of the incident’s resolution.
2	Incident Response Team (IRT)	During the meeting, analyze the incident timeline, the effectiveness of the response actions, and identify areas for improvement.
3	Security Team	Update the Incident Response Plan (IRP) and any other relevant procedures or documentation based on the findings from the review.
4	Incident Commander	Assign any identified action items to specific owners with clear due dates and track them to completion in a designated log.

5. Standards Compliance

Procedure Step(s)	Standard/Framework	Control Reference
1-4	SOC 2	CC2.1
1-4	NIST Cybersecurity Framework	RC.IM

6. Artifact(s)

A Post-Incident Report including a “lessons learned” section and an action item tracking log.

7. Definitions

Action Item Tracking Log: A formal record used to document, assign, and monitor the status of corrective actions identified during a post-incident review.

8. Responsibilities

Role	Responsibility
Incident Commander	Chairs the post-incident review meeting and ensures action items are assigned and tracked.
Incident Response Team (IRT)	Actively participates in the review, providing insights into the response process.
Security Team	Is responsible for updating security documentation based on the outcomes of the review.