Free template
Security Incident Report Form Template
Capture key incident facts and response steps consistently with this Security Incident Report Form Template.
Downloaded 4206 times
Download template
Security Incident Report Form Template
This Security Incident Report (the “Report”) is created for [Company Name] on [Report Date].
1. Incident Identification
1.1 Incident ID. [Incident ID].
1.2 Incident Title. [Short descriptive title].
1.3 Severity Level. ☐ SEV-1 (Critical) ☐ SEV-2 (High) ☐ SEV-3 (Moderate) ☐ SEV-4 (Low).
1.4 Incident Type.
☐ Phishing/Social engineering
☐ Malware/Ransomware
☐ Unauthorized access
☐ Data exposure/leak
☐ Denial of service
☐ Insider threat
☐ Misconfiguration
☐ Lost/stolen device
☐ Third-party/vendor incident
☐ Other: [Describe]
2. Discovery and Timeline
2.1 Detected/Reported By. [Name/Role].
2.2 Detection Method. ☐ Alert/monitoring ☐ User report ☐ Vendor notice ☐ Audit finding ☐ Other: [Method].
2.3 Date/Time Discovered. [Date/Time] (timezone: [TZ]).
2.4 Estimated Start Time (If Known). [Date/Time].
2.5 Date/Time Contained (If Known). [Date/Time].
2.6 Date/Time Resolved (If Known). [Date/Time].
2.7 Incident Summary (Initial). [Brief summary of what was observed].
3. Affected Systems and Accounts
3.1 Systems/Services Impacted. [List systems, apps, cloud accounts, endpoints].
3.2 Network/Environment. ☐ Production ☐ Staging ☐ Internal IT ☐ Cloud ☐ Other: [Environment].
3.3 Accounts Impacted. [Usernames/emails/roles if applicable].
3.4 Third-Party Involvement. ☐ None ☐ Vendor/service: [Name] ☐ Unknown (investigating).
4. Data Impact Assessment
4.1 Data Types Potentially Affected.
☐ Credentials
☐ Customer personal data
☐ Employee personal data
☐ Payment data
☐ Health data
☐ Financial records
☐ Intellectual property
☐ Confidential business information
☐ Other: [Describe]
4.2 Estimated Number of Records/Individuals. [Estimate].
4.3 Encryption Status.
☐ Data encrypted at rest
☐ Data encrypted in transit
☐ Encryption unknown
Details: [Key management and exposure notes].
4.4 Evidence of Exfiltration. ☐ Yes ☐ No ☐ Unknown.
If yes/unknown, describe indicators: [Logs/alerts].
5. Containment and Immediate Actions
5.1 Actions Taken.
[Action and timestamp]
[Action and timestamp]
[Action and timestamp]
5.2 Access Revoked/Rotated.
☐ Password resets
☐ MFA enforced
☐ API keys rotated
☐ Tokens revoked
☐ Certificates rotated
☐ Other: [Actions]
5.3 Systems Isolated. ☐ Yes ☐ No. If yes, how: [Details].
5.4 Backups/Recovery Steps. [If applicable].
6. Investigation Findings
6.1 Root Cause (If Known). [Phishing, vulnerability, misconfig, insider, etc.].
6.2 Attack Vector/Entry Point. [Details].
6.3 Timeline of Key Events.
[Date/time] – [Event]
[Date/time] – [Event]
[Date/time] – [Event]
6.4 Indicators of Compromise (IOCs). [IPs, domains, hashes, user agents, etc.].
6.5 Forensics Involvement. ☐ Internal only ☐ External vendor engaged: [Name] ☐ Outside counsel involved.
7. Notifications and Communications
7.1 Internal Notifications. Notified: ☐ Security ☐ IT ☐ Legal ☐ Privacy ☐ Exec ☐ HR ☐ Other: [Teams].
7.2 External Notifications.
☐ Customers notified
☐ Regulators notified
☐ Law enforcement contacted
☐ Vendors notified
☐ Not required (document rationale)
Details: [Who/when/method].
7.3 Public Statement Needed. ☐ Yes ☐ No ☐ TBD.
7.4 Customer Support Plan. [Macros/FAQ/escalation steps].
8. Remediation and Follow-Up
8.1 Remediation Actions.
[Fix/control improvement] – Owner: [Name] – Due: [Date]
[Fix/control improvement] – Owner: [Name] – Due: [Date]
8.2 Monitoring Improvements. [New alerts/logging].
8.3 Policy/Process Updates. [Playbook changes, training updates].
8.4 Lessons Learned Meeting Date. [Date].
9. Attachments and Evidence
9.1 Evidence References.
☐ Log exports
☐ Screenshots
☐ Ticket links
☐ Forensics report
☐ Vendor notice
☐ Other: [List]
9.2 Storage Location. Evidence stored at: [Secure folder/link], access limited to: [Roles].
10. Approvals
10.1 Reviewed By (Security). [Name/Title] – Date: [Date].
10.2 Reviewed By (Legal/Privacy, If Applicable). [Name/Title] – Date: [Date].
10.3 Final Approval. [Name/Title] – Date: [Date].
Signatures
By signing below, the undersigned confirm that this Report reflects the incident details and response actions documented as of the signature date.
Prepared By: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________
Incident Commander: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________
Approved By (If Required): [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________
Flash deal
Flash deal
Today
Today
No time to fill it up? Generate your custom agreement with AI Lawyer in seconds
What’s Included
Legal Research
Legal Research
Legal Research
Contract Drafting
Contract Drafting
Contract Drafting
Document Review
Document Review
Document Review
Risk Analytics
Risk Analytics
Risk Analytics
Citation Verification
Citation Verification
Citation Verification
Easy-to-understand jargon
Easy-to-understand jargon
Easy-to-understand jargon
Details
Learn more about
Security Incident Report Form Template
Click below for detailed info on the template.
For quick answers, scroll below to see the FAQ.
Click below for detailed info on the template.
For quick answers, scroll below to see the FAQ.
SECURITY INCIDENT REPORT FORM TEMPLATE FAQ
What is a security incident report form?
A security incident report form is a standardized document used to record the details of a suspected or confirmed security incident. It helps teams capture what happened, when it happened, what systems and data were affected, actions taken, and what follow-up is needed.
When should you use a security incident report form?
Use it as soon as an incident is suspected, even if details are incomplete. A form creates a timeline and ensures important information (like logs, affected accounts, and containment steps) is captured early and consistently.
What information should be included in an incident report?
Most incident reports include incident identification, discovery details, affected systems, incident type, severity, potential data exposure, actions taken, evidence/log references, communications and notifications, and remediation tasks. This template also includes fields for approvals and sign-off.
Who completes and approves the incident report?
Typically the security/IT responder completes it, with review by an incident commander, security leadership, and legal/privacy if personal data may be involved. The final sign-off depends on the severity and your internal policies.
How does this relate to a breach response playbook?
The playbook tells you what steps to follow; the incident report form is where you record those steps and outcomes. Using both together helps prove you responded reasonably and consistently.
What is AI Lawyer?
AI Lawyer is an AI-powered assistant that helps you create and customize legal and business document templates online. It guides you through key sections, suggests wording, and explains complex concepts in simple language. AI Lawyer does not replace a licensed attorney or provide legal advice, but helps you prepare better documents faster and more confidently.
Similar templates
Other templates from
Policy and Compliance Documents
Money back guarantee
Free trial
Cancel anytime
AI Lawyer protects
your rights and wallet
Money back guarantee
Free trial
Cancel anytime
AI Lawyer protects
your rights and wallet
Money back guarantee
Free trial
Cancel anytime
AI Lawyer protects
your rights and wallet
Money back guarantee
Free trial
Cancel anytime