ELI5: What is a Post-incident Review?
After something goes wrong, the team sits down and talks about what happened, what went well, and what to do better next time. It is like a game film review after a big match.
Definition
The lessons learned review (also called post-incident review or after-action review) is conducted after an incident is resolved to analyze the organization’s response, identify what worked well, what failed, and what can be improved in processes, tools, and training. This final phase of the incident response lifecycle is critical for continuous improvement of the security program.
Key Details
- Should be conducted within a week of incident resolution while details are fresh
- Key questions: What happened? When was it detected? How long did containment take? What caused delays?
- Output: written report with findings, recommendations, and action items with assigned owners and deadlines
- Should involve all stakeholders: IR team, IT, management, legal, and business units
- Findings should directly inform updates to playbooks, detection rules, and training programs
Connections
- Parent: incident-response — post-incident review is the final phase of the NIST IR lifecycle
- See also: preparation