In the Reporting step, what should be documented for every incident — and when should documentation actually happen?
Document the incident summary, indicators of compromise, related events, actions taken, chain of custody, impact assessment, people involved and next steps — continuously, throughout the whole incident, not only at the end.
The point is that reporting is ongoing. The recommended contents (following NIST SP 800-61 Rev. 2, the Computer Security Incident Handling Guide) include: a summary; Indicators of Compromise (IOCs) — forensic artefacts that show a system was breached; related/similar incidents; measures taken; the chain of custody (an unbroken, documented record of how evidence was handled so it holds up in court); an impact assessment; involved persons; and next steps.
Go deeper:
NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) — Die zitierte Primärquelle für die empfohlenen Reporting-Inhalte.
NIST SP 800-61 Rev. 3 (2025) — Aktuelle, an CSF 2.0 ausgerichtete Nachfolgeversion.