Templates

Affiliate

Contact

FAQ

Blog

Sign in

Try for Free

Templates

Affiliate

Contact

FAQ

Blog

Sign in

Try for Free

Templates

Policy and Compliance Documents

Security Incident Report Form Template

Typical length: 4-6 pages

Length: 4-6 pages

AI Assisted

Export: PDF & DOCX

Multi-jurisdiction ready

Multi-jurisdiction

Get your custom agreement in minutes

Create Agreement

security-incident-report-form-template

4.8 Rating

Downloaded 4206 times

Google For Startups

NVIDIA Inception Program

Security Incident Report Form Template

This Security Incident Report (the “Report”) is created for [Company Name] on [Report Date].

1. Incident Identification

1.1 Incident ID. [Incident ID].
1.2 Incident Title. [Short descriptive title].
1.3 Severity Level. ☐ SEV-1 (Critical) ☐ SEV-2 (High) ☐ SEV-3 (Moderate) ☐ SEV-4 (Low).
1.4 Incident Type.
☐ Phishing/Social engineering
☐ Malware/Ransomware
☐ Unauthorized access
☐ Data exposure/leak
☐ Denial of service
☐ Insider threat
☐ Misconfiguration
☐ Lost/stolen device
☐ Third-party/vendor incident
☐ Other: [Describe]

2. Discovery and Timeline

2.1 Detected/Reported By. [Name/Role].
2.2 Detection Method. ☐ Alert/monitoring ☐ User report ☐ Vendor notice ☐ Audit finding ☐ Other: [Method].
2.3 Date/Time Discovered. [Date/Time] (timezone: [TZ]).
2.4 Estimated Start Time (If Known). [Date/Time].
2.5 Date/Time Contained (If Known). [Date/Time].
2.6 Date/Time Resolved (If Known). [Date/Time].
2.7 Incident Summary (Initial). [Brief summary of what was observed].

3. Affected Systems and Accounts

3.1 Systems/Services Impacted. [List systems, apps, cloud accounts, endpoints].
3.2 Network/Environment. ☐ Production ☐ Staging ☐ Internal IT ☐ Cloud ☐ Other: [Environment].
3.3 Accounts Impacted. [Usernames/emails/roles if applicable].
3.4 Third-Party Involvement. ☐ None ☐ Vendor/service: [Name] ☐ Unknown (investigating).

4. Data Impact Assessment

4.1 Data Types Potentially Affected.
☐ Credentials
☐ Customer personal data
☐ Employee personal data
☐ Payment data
☐ Health data
☐ Financial records
☐ Intellectual property
☐ Confidential business information
☐ Other: [Describe]
4.2 Estimated Number of Records/Individuals. [Estimate].
4.3 Encryption Status.
☐ Data encrypted at rest
☐ Data encrypted in transit
☐ Encryption unknown
Details: [Key management and exposure notes].
4.4 Evidence of Exfiltration. ☐ Yes ☐ No ☐ Unknown.
If yes/unknown, describe indicators: [Logs/alerts].

5. Containment and Immediate Actions

5.1 Actions Taken.

[Action and timestamp]
[Action and timestamp]
[Action and timestamp]
5.2 Access Revoked/Rotated.
☐ Password resets
☐ MFA enforced
☐ API keys rotated
☐ Tokens revoked
☐ Certificates rotated
☐ Other: [Actions]
5.3 Systems Isolated. ☐ Yes ☐ No. If yes, how: [Details].
5.4 Backups/Recovery Steps. [If applicable].

6. Investigation Findings

6.1 Root Cause (If Known). [Phishing, vulnerability, misconfig, insider, etc.].
6.2 Attack Vector/Entry Point. [Details].
6.3 Timeline of Key Events.

[Date/time] – [Event]
[Date/time] – [Event]
[Date/time] – [Event]
6.4 Indicators of Compromise (IOCs). [IPs, domains, hashes, user agents, etc.].
6.5 Forensics Involvement. ☐ Internal only ☐ External vendor engaged: [Name] ☐ Outside counsel involved.

7. Notifications and Communications

7.1 Internal Notifications. Notified: ☐ Security ☐ IT ☐ Legal ☐ Privacy ☐ Exec ☐ HR ☐ Other: [Teams].
7.2 External Notifications.
☐ Customers notified
☐ Regulators notified
☐ Law enforcement contacted
☐ Vendors notified
☐ Not required (document rationale)
Details: [Who/when/method].
7.3 Public Statement Needed. ☐ Yes ☐ No ☐ TBD.
7.4 Customer Support Plan. [Macros/FAQ/escalation steps].

8. Remediation and Follow-Up

8.1 Remediation Actions.

[Fix/control improvement] – Owner: [Name] – Due: [Date]
[Fix/control improvement] – Owner: [Name] – Due: [Date]
8.2 Monitoring Improvements. [New alerts/logging].
8.3 Policy/Process Updates. [Playbook changes, training updates].
8.4 Lessons Learned Meeting Date. [Date].

9. Attachments and Evidence

9.1 Evidence References.
☐ Log exports
☐ Screenshots
☐ Ticket links
☐ Forensics report
☐ Vendor notice
☐ Other: [List]
9.2 Storage Location. Evidence stored at: [Secure folder/link], access limited to: [Roles].

10. Approvals

10.1 Reviewed By (Security). [Name/Title] – Date: [Date].
10.2 Reviewed By (Legal/Privacy, If Applicable). [Name/Title] – Date: [Date].
10.3 Final Approval. [Name/Title] – Date: [Date].

Signatures

By signing below, the undersigned confirm that this Report reflects the incident details and response actions documented as of the signature date.

Prepared By: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________

Incident Commander: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________

Approved By (If Required): [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________

Security Incident Report Form Template

This Security Incident Report (the “Report”) is created for [Company Name] on [Report Date].

1. Incident Identification

2. Discovery and Timeline

3. Affected Systems and Accounts

4. Data Impact Assessment

5. Containment and Immediate Actions

5.1 Actions Taken.

[Action and timestamp]
[Action and timestamp]
[Action and timestamp]
5.2 Access Revoked/Rotated.
☐ Password resets
☐ MFA enforced
☐ API keys rotated
☐ Tokens revoked
☐ Certificates rotated
☐ Other: [Actions]
5.3 Systems Isolated. ☐ Yes ☐ No. If yes, how: [Details].
5.4 Backups/Recovery Steps. [If applicable].

6. Investigation Findings

6.1 Root Cause (If Known). [Phishing, vulnerability, misconfig, insider, etc.].
6.2 Attack Vector/Entry Point. [Details].
6.3 Timeline of Key Events.

[Date/time] – [Event]
[Date/time] – [Event]
[Date/time] – [Event]
6.4 Indicators of Compromise (IOCs). [IPs, domains, hashes, user agents, etc.].
6.5 Forensics Involvement. ☐ Internal only ☐ External vendor engaged: [Name] ☐ Outside counsel involved.

7. Notifications and Communications

8. Remediation and Follow-Up

8.1 Remediation Actions.

[Fix/control improvement] – Owner: [Name] – Due: [Date]
[Fix/control improvement] – Owner: [Name] – Due: [Date]
8.2 Monitoring Improvements. [New alerts/logging].
8.3 Policy/Process Updates. [Playbook changes, training updates].
8.4 Lessons Learned Meeting Date. [Date].

9. Attachments and Evidence

10. Approvals

Signatures

By signing below, the undersigned confirm that this Report reflects the incident details and response actions documented as of the signature date.

Prepared By: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________

Incident Commander: [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________

Approved By (If Required): [Name]
Title/Role: [Title]
Date: [Date]
Signature: ___________________________

Get your complete
agreement in minutes

Select a template

Each template already follows legal structure and best practices.

Provide details

The agreement is automatically filled and adapted to your inputs.

Review & download

Check the generated document, make edits if needed, and download a ready-to-use agreement.

Details

Learn more about

Security Incident Report Form Template

Click below for detailed info on the template.
For quick answers, scroll below to see the FAQ.

Learn more

SECURITY INCIDENT REPORT FORM TEMPLATE FAQ

What is a security incident report form?

A security incident report form is a standardized document used to record the details of a suspected or confirmed security incident. It helps teams capture what happened, when it happened, what systems and data were affected, actions taken, and what follow-up is needed.

When should you use a security incident report form?

Use it as soon as an incident is suspected, even if details are incomplete. A form creates a timeline and ensures important information (like logs, affected accounts, and containment steps) is captured early and consistently.

What information should be included in an incident report?

Most incident reports include incident identification, discovery details, affected systems, incident type, severity, potential data exposure, actions taken, evidence/log references, communications and notifications, and remediation tasks. This template also includes fields for approvals and sign-off.

Who completes and approves the incident report?

Typically the security/IT responder completes it, with review by an incident commander, security leadership, and legal/privacy if personal data may be involved. The final sign-off depends on the severity and your internal policies.

How does this relate to a breach response playbook?

The playbook tells you what steps to follow; the incident report form is where you record those steps and outcomes. Using both together helps prove you responded reasonably and consistently.

What is AI Lawyer?

AI Lawyer is an AI-powered assistant that helps you create and customize legal and business document templates online. It guides you through key sections, suggests wording, and explains complex concepts in simple language. AI Lawyer does not replace a licensed attorney or provide legal advice, but helps you prepare better documents faster and more confidently.

Similar templates

Other templates from

Policy and Compliance Documents

Generate Document