Security Incident Response Checklist Template
Detect, contain, investigate, and resolve security incidents with a structured playbook.
This free it checklist template includes 6 tasks organized into 2 sections. Use it to streamline your security incident response process.
Detection & Containment
Identify and classify incident
Detect and document the security incident. Classify its severity to determine the appropriate response level and escalation path.
- Incident Severity (required) — Options: Critical, High, Medium, Low
- Incident Type (required) — Options: Data Breach, Malware / Ransomware, Phishing Attack, Unauthorized Access, Denial of Service, Other
- Initial Description (required)
Contain the threat
Take immediate action to isolate affected systems and prevent the incident from spreading. Document all containment steps taken.
- Containment Actions Taken (required) — Options: Isolated Affected Systems, Disabled Compromised Accounts, Blocked Malicious IPs, Revoked Access Tokens, Activated Firewall Rules
- Systems Affected (required)
Resolution
Investigate root cause
Perform a thorough forensic investigation to determine the root cause of the incident, attack vector, and scope of impact.
- Root Cause Analysis (required)
- Data Compromised (required) — Options: No Data Compromised, Internal Data Only, Customer Data Affected, Financial Data Affected, Unknown / Under Investigation
Implement fix
Apply patches, configuration changes, or other remediation measures to eliminate the vulnerability and restore affected systems.
- Remediation Steps (required)
- Fix Applied Date (required)
Notify affected parties
Communicate the incident to affected users, stakeholders, and regulatory bodies as required. Provide clear information about what happened and steps being taken.
- Parties Notified (required) — Options: Internal Team, Executive Leadership, Affected Customers, Legal / Compliance, Regulatory Bodies, Law Enforcement
- Notification Date (required)
Post-incident review
Conduct a post-mortem to document lessons learned, update security policies, and implement preventive measures to avoid similar incidents.
- Lessons Learned (required)
- Preventive Measures Planned (required) — Options: Updated Security Policies, Additional Monitoring, Staff Training, Infrastructure Hardening, New Access Controls