Question: Are post-incident reviews and lessons learned integrated into risk, training, and control updates?
Why This Matters
Post-mortems transform failures into improvements. Capturing lessons and feeding them into risk and training cycles strengthens resilience.
Maturity
0 — Unaware
No post-incident review.
No post-incident review.
1 — Ad Hoc
Discussions held but not documented.
Discussions held but not documented.
2 — Defined
Template for lessons learned created.
Template for lessons learned created.
3 — Managed
Reviews completed for all major incidents.
Reviews completed for all major incidents.
4 — Integrated
Findings update risk register, policies, training.
Findings update risk register, policies, training.
5 — Optimized
Analytics track recurrence and learning effectiveness.
Analytics track recurrence and learning effectiveness.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Hold a team retrospective after each major incident. |
| 1 → 2 | Create template to capture what worked/failed. |
| 2 → 3 | Require completion within 7 days of closure. |
| 3 → 4 | Feed findings into risk register and training plan. |
| 4 → 5 | Automate metrics on recurrence and closure time. |
Enablers
- People: IR Manager, Risk Officer, Training Lead
- Process: RCA → Lessons → Risk Update → Awareness
- Technology: GRC system, LMS, dashboard
Evidence
- Post-incident review reports
- Updated risk register entries
- Training records linked to findings
KPIs
- % incidents with review completed
- Number of controls updated post-review
- Recurrence rate of similar incidents
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Review template | Wiki / Forms | Simple record |
| Risk tracking | Odoo / Airtable | Integrate updates |
| Training LMS | Moodle / Google Classroom | Awareness refreshers |
Common Pitfalls
- Lessons recorded but never acted on
- No link to training plans
- Same issue recurs every quarter
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | A.10 (Improvement Cycle) |
| CERT-In 2022 | Section 34 (Post-Incident Review) |
| DPDP Act 2023 | Sec 10 (Accountability) |
| NIST CSF 2.0 | RC.MI-1 / GV.MA-1 |
| NIRMATA Mapping | IR-Q08 closes the incident feedback loop. |