The documentation associated with an incident takes several forms. The length of any documentation is often dictated by the type of incident. Simple incidents that take very little time to investigate and have a limited impact may be documented informally in an existing ticketing system. However, in more complex incident investigations, such as a data breach that has led to the disclosure of confidential information (such as medical records or credit card information), you may require extensive written reports and supporting evidence.
Documentation overview
What to document
When looking at documenting an incident, it is not very difficult to ascertain what should be documented. Following the five Ws (Who, What, Where, When...