LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

In the Reporting step, what should be documented for every incident — and when should documentation actually happen?

Document the incident summary, indicators of compromise, related events, actions taken, chain of custody, impact assessment, people involved and next steps — continuously, throughout the whole incident, not only at the end.

The point is that reporting is ongoing. The recommended contents (following NIST SP 800-61 Rev. 2, the Computer Security Incident Handling Guide) include: a summary; Indicators of Compromise (IOCs) — forensic artefacts that show a system was breached; related/similar incidents; measures taken; the chain of custody (an unbroken, documented record of how evidence was handled so it holds up in court); an impact assessment; involved persons; and next steps.

NIST SP 800-61 Rev. 2

Go deeper:

From Quiz: ISM / Security Incident Management | Updated: Jul 05, 2026