The incident register is the central record of every information security incident your organisation experiences. Each incident — from a phishing attack to a lost USB drive to a ransomware infection — is captured, classified, and tracked here.
ISO 27001 dedicates three controls to the topic: A.5.24 (planning and preparation), A.5.25 (assessment and decision), and A.5.26 (response to incidents). NIS2 tightens reporting deadlines toward national authorities in Art. 23. The register ensures that every incident follows the defined process.
What does it contain?
The CSV template covers the full lifecycle of an incident:
- Incident ID and title — unique identifier and brief description
- Classification and severity — low, medium, high, critical
- Timestamps — detection, reporting, containment, closure
- Affected assets and systems — link to the asset register
- Incident coordinator — who manages the response?
- Immediate and long-term actions — what was done?
- Reporting obligations — was the incident reported to authorities, affected individuals, or customers?
- Lessons learned — what findings feed back into the risk analysis?
How to use it
Establish a reporting channel. Before the register works, everyone in the organisation must know where to report incidents. A dedicated channel (email alias, ticket category, intranet form) lowers the barrier. Communicate the reporting channel during onboarding and in annual awareness training.
Classification and escalation. Every reported incident is classified by severity. The classification determines the escalation level: low-severity incidents are handled by the IT team independently; critical incidents escalate to senior management and — depending on NIS2 applicability — trigger a report to the relevant authority.
Post-incident review and feedback into risk analysis. Every closed incident is reviewed. What happened? Why did the existing control fail or succeed? What changes to the risk register or risk treatment plan result from this? This feedback loop closes the PDCA cycle.
| ID | Titel | Typ | Schweregrad | Betroffene Assets | Gemeldet von | Gemeldet am | Erkannt durch | Erkennungsmethode | Response-Team | Eingedämmt am | Behoben am | MTTR (h) | Datenschutzverletzung | Behördenmeldung | Ursache | Korrekturmaßnahme | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| INC-2026-001 | Phishing-Mail mit Zugangsdaten-Link | Phishing | Mittel | Benutzerkonto k.mueller@nwl | IT-Helpdesk | 2026-01-22 09:14 | SOC | SIEM-Alarm | SecOps | 2026-01-22 09:45 | 2026-01-22 14:00 | 4.8 | Nein | Nein | Filter umgangen (neu registrierte Domain) | NRD-Regel aktivieren + CAPA-2026-003 | Geschlossen |
| INC-2026-002 | EDR-Alarm auf Entwickler-Laptop (Cobalt Strike Beacon) | Malware | Hoch | AST-006 (1 Laptop) | EDR | 2026-02-03 23:41 | EDR | Verhaltensbasiert | SecOps | 2026-02-03 23:55 | 2026-02-05 12:00 | 37.0 | Nein | Nein | Fehlalarm - nicht koordinierte Red-Team-Übung | Ausschluss aktualisieren + Übungen koordinieren | Geschlossen |
| INC-2026-003 | Verlorener Firmenlaptop | Geräteverlust | Mittel | AST-006 (1 Laptop) | Mitarbeiter | 2026-02-15 08:30 | Nutzermeldung | Selbstmeldung | IT-Betrieb | 2026-02-15 08:45 | 2026-02-15 10:00 | 1.5 | Nein | Nein | Im Taxi liegengelassen | Remote Wipe ausgelöst + Ersatzgerät | Geschlossen |
| INC-2026-004 | Gezieltes Phishing auf Finanzabteilung (BEC-Versuch) | Phishing | Hoch | Finanzteam | Finanzleitung | 2026-02-22 11:20 | Nutzermeldung | Empfänger | SecOps | 2026-02-22 11:25 | 2026-02-22 16:00 | 4.6 | Nein | Nein | Versuch durch Awareness geblockt - keine Klicks | Gezielte Finanz-Schulung | Geschlossen |
| INC-2026-005 | Unberechtigte Zugriffsversuche auf VPN | Brute Force | Niedrig | AST-011 | SOC | 2026-03-01 02:14 | SIEM-Alarm | Log-Korrelation | SecOps | 2026-03-01 02:20 | 2026-03-01 09:00 | 6.8 | Nein | Nein | Automatisiertes Scannen | Quell-IPs geblockt + Geofilter | Geschlossen |
| INC-2026-006 | Versehentliche E-Mail mit Kundenliste an falschen Empfänger | Datenabfluss | Hoch | Kundendaten (45 Datensätze) | DSB | 2026-03-12 14:30 | Nutzermeldung | Selbstmeldung | DSB + SecOps | 2026-03-12 14:35 | 2026-03-12 18:00 | 3.5 | Ja | Ja (BfDI 72 h + betroffene Personen) | Autovervollständigung wählte falsche Adresse | E-Mail-Sendebestätigung aktivieren + DLP (CAPA-2026-005) | Geschlossen |
| INC-2026-007 | DDoS auf Kundenportal | DoS | Mittel | AST-002 | Monitoring | 2026-03-20 19:15 | Verfügbarkeitsmonitoring | Synthetischer Check | SecOps + Anbieter | 2026-03-20 19:45 | 2026-03-20 22:30 | 3.3 | Nein | Nein | Volumetrischer Angriff über Anbieter | CDN Layer-7-Schutz aktiviert | Geschlossen |
| INC-2026-008 | S3-Bucket kurzzeitig öffentlich nach manueller Änderung | Fehlkonfiguration | Hoch | AST-012 | IT-Betrieb | 2026-03-25 10:00 | IaC-Scan | Automatisiert | SecOps | 2026-03-25 10:12 | 2026-03-25 11:00 | 1.0 | Nein (keine sensiblen Daten abgerufen) | Nein | Engineer umging IaC | IaC verstärken + S3 Public Access Block | Geschlossen |
| INC-2026-009 | Ransomware-Versuch geblockt | Malware | Hoch | AST-006 (1 Laptop) | EDR | 2026-04-02 15:30 | EDR | Verhaltensbasiert | SecOps | 2026-04-02 15:31 | 2026-04-03 12:00 | 20.5 | Nein | Nein | Nutzer öffnete schädlichen Anhang | Awareness-Session + Anhangsfilter feintunen | Geschlossen |
| INC-2026-010 | Insider - Fehlgeschlagener Zugriffsversuch auf Lohndaten | Unberechtigter Zugriff | Mittel | AST-017 | SIEM | 2026-04-08 16:20 | SIEM-Alarm | Zugriffslog-Korrelation | ISB + HR | 2026-04-08 16:30 | 2026-04-09 10:00 | 17.7 | Nein | Nein | Neugier (nicht böswillig) | Erinnerung an AUP + Zugriffsreview | Geschlossen |
| ID | Title | Type | Severity | Affected Assets | Reported By | Reported At | Detected By | Detection Method | Response Team | Containment At | Resolved At | MTTR (h) | Data Breach | Authority Notification | Root Cause | Corrective Action | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| INC-2026-001 | Phishing email with credential link | Phishing | Medium | User account k.mueller@nwl | IT Helpdesk | 2026-01-22 09:14 | SOC | SIEM alert | SecOps | 2026-01-22 09:45 | 2026-01-22 14:00 | 4.8 | No | No | Bypassed filter (newly registered domain) | Enable NRD rule + CAPA-2026-003 | Closed |
| INC-2026-002 | EDR alert on developer laptop (Cobalt Strike beacon) | Malware | High | AST-006 (1 laptop) | EDR | 2026-02-03 23:41 | EDR | Behavioural detection | SecOps | 2026-02-03 23:55 | 2026-02-05 12:00 | 37.0 | No | No | False positive - red team exercise not coordinated | Update exclusion + coordinate exercises | Closed |
| INC-2026-003 | Lost company laptop | Lost device | Medium | AST-006 (1 laptop) | Employee | 2026-02-15 08:30 | User report | Self-report | IT Operations | 2026-02-15 08:45 | 2026-02-15 10:00 | 1.5 | No | No | Left in taxi | Remote wipe triggered + replacement issued | Closed |
| INC-2026-004 | Targeted phishing against finance (BEC attempt) | Phishing | High | Finance team | Finance Lead | 2026-02-22 11:20 | User report | Recipient | SecOps | 2026-02-22 11:25 | 2026-02-22 16:00 | 4.6 | No | No | Attempt blocked by awareness - no clicks | Targeted finance training | Closed |
| INC-2026-005 | Unauthorised access attempts to VPN | Brute force | Low | AST-011 | SOC | 2026-03-01 02:14 | SIEM alert | Log correlation | SecOps | 2026-03-01 02:20 | 2026-03-01 09:00 | 6.8 | No | No | Automated scanning | Blocked source IPs + geo filter | Closed |
| INC-2026-006 | Accidental email with customer list to wrong recipient | Data leak | High | Customer data (45 records) | DPO | 2026-03-12 14:30 | User report | Self-report | DPO + SecOps | 2026-03-12 14:35 | 2026-03-12 18:00 | 3.5 | Yes | Yes (BfDI 72h + data subjects) | Autocomplete selected wrong address | Enable email send confirmation + DLP (CAPA-2026-005) | Closed |
| INC-2026-007 | DDoS on customer portal | DoS | Medium | AST-002 | Monitoring | 2026-03-20 19:15 | Availability monitoring | Synthetic check | SecOps + Vendor | 2026-03-20 19:45 | 2026-03-20 22:30 | 3.3 | No | No | Volumetric attack via vendor | Activated CDN Layer 7 protection | Closed |
| INC-2026-008 | S3 bucket temporarily public after manual change | Misconfiguration | High | AST-012 | IT Operations | 2026-03-25 10:00 | IaC scan | Automated | SecOps | 2026-03-25 10:12 | 2026-03-25 11:00 | 1.0 | No (no sensitive data accessed) | No | Engineer bypassed IaC | Reinforce IaC + S3 public access block | Closed |
| INC-2026-009 | Ransomware attempt blocked | Malware | High | AST-006 (1 laptop) | EDR | 2026-04-02 15:30 | EDR | Behavioural detection | SecOps | 2026-04-02 15:31 | 2026-04-03 12:00 | 20.5 | No | No | User opened malicious attachment | Awareness session + attachment filter tuning | Closed |
| INC-2026-010 | Insider - failed access attempt to payroll | Unauthorised access | Medium | AST-017 | SIEM | 2026-04-08 16:20 | SIEM alert | Access log correlation | ISO + HR | 2026-04-08 16:30 | 2026-04-09 10:00 | 17.7 | No | No | Curiosity (not malicious) | Reminder of AUP + access review | Closed |
Sources
- ISO/IEC 27001:2022, A.5.24–A.5.26 — incident management
- ISO/IEC 27002:2022, Sections 5.24–5.28 — implementation guidance for incident management
- NIS2 Directive (EU 2022/2555), Art. 23 — reporting obligations for significant security incidents