The Five Steps of Incident Resolution

Owned by Ilya Vadeiko (Unlicensed)
Last updated: Oct 18, 2021
2 min read

There are five standard steps to any incident resolution process. These steps ensure that no aspect of an incident is overlooked and help teams respond to incidents effectively. 

  1. Incident Identification, Logging, and Categorization
    Incidents are identified through user reports, solution analyses, or manual identification. Once identified, the incident is logged and investigation and categorization can begin. Categorization is important to determining how incidents should be handled and for prioritizing response resources. 

  2. Incident Notification & Escalation
    Incident alerting takes place in this step although the timing may vary according to how incidents are identified or categorized. Additionally, if incidents are minor, details may be logged or notifications sent without an official alert. Escalation is based on the categorization assigned to an incident and who is responsible for response procedures. If incidents can be automatically managed, escalation can occur transparently.  

  3. Investigation and Diagnosis
    Once incident tasks are assigned, staff can begin investigating the type, cause, and possible solutions for an incident. After an incident is diagnosed, you can determine the appropriate remediation steps. This includes notifying any relevant staff, customers, or authorities about the incident and any expected disruption of services.

  4. Resolution and Recovery
    Resolution and recovery involve eliminating threats or root causes of issues and restoring systems to full functioning. Depending on incident type or severity, this may require multiple stages to ensure that incidents don’t reoccur.

    For example, if the incident involves a malware infection, you often cannot simply delete the malicious files and continue operations. Instead, you need to create a clean copy of your infected systems, isolate the infected components, and fully replace systems to ensure that the infection doesn’t spread. 

  5. Incident Closure
    Resolution and recovery involve eliminating threats or root causes of issues and restoring systems to full functioning. Depending on incident type or severity, this may require multiple stages to ensure that incidents don’t reoccur.

    For example, if the incident involves a malware infection, you often cannot simply delete the malicious files and continue operations. Instead, you need to create a clean copy of your infected systems, isolate the infected components, and fully replace systems to ensure that the infection doesn’t spread.