A blameless post-mortem is a structured review of a security incident or outage that deliberately avoids assigning personal blame. The focus is on systemic causes and improvements.
ISO 27001 Annex A control A.5.27 (Learning from Information Security Incidents) and Clause 10.1 (Continual Improvement) provide the normative basis. A blameless post-mortem analyzes the causal chain: what happened, why it could happen, which factors contributed to escalation, and which measures prevent recurrence. Avoiding personal blame encourages open communication and leads to more honest analysis. Document the results and track derived actions as tasks.