CIS Control 17.8: Conduct Post-Incident Reviews
Post-incident reviews are your organization's opportunity to learn from security events and prevent them from happening again. By systematically analyzing incidents, you identify root causes, document lessons learned, and implement corrective actions that strengthen your overall security program. This control is essential for building a mature incident response process that continuously improves your defenses.
What this means
Post-incident reviews (also called post-mortems or retrospectives) are structured processes conducted after a security incident has been contained and resolved. They involve your incident response team, relevant stakeholders, and subject matter experts examining what happened, why it happened, and what could prevent similar incidents in the future. The goal is to extract actionable insights and implement systemic improvements—not to assign blame.
How to comply
- 1.Define a post-incident review process that triggers automatically for all significant security incidents
- 2.Schedule reviews within 1-2 weeks of incident containment while details are still fresh
- 3.Assemble a cross-functional team including security, IT operations, management, and affected business units
- 4.Document the incident timeline, impact assessment, root cause analysis, and contributing factors
- 5.Identify lessons learned and capture what your team did well and what could improve
- 6.Create a prioritized list of follow-up actions with assigned owners and deadlines
- 7.Track action items through completion and verify effectiveness
- 8.Share findings and lessons across the organization to prevent similar incidents elsewhere
- 9.Maintain a centralized repository of post-incident review reports for trend analysis
Evidence auditors look for
- Post-incident review documentation template customized for your organization
- Completed incident review reports with root cause analysis and action items
- Meeting minutes and attendance records from review sessions
- Action item tracking logs showing assignments, deadlines, and closure status
- Trend analysis reports identifying recurring incident patterns or vulnerabilities
- Evidence of corrective actions implemented based on review findings
- Communication records showing lessons learned shared across the organization
- Updated incident response procedures based on review recommendations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates post-incident review workflows by centralizing incident documentation, tracking action items to completion, and flagging trends across your incident history—helping you demonstrate continuous improvement for audits and prevent recurring security events.
See how GRCWatch handles this control automatically
Start free trial