Security incident report – How to guide in 6 steps
Security incident reports – how to guide in 6 steps – is for security guards who want to follow best practice.
We’ll look at why it’s important to write a report, what should be in your report and things to avoid.
How to write an incident report: Transcript
How to write an incident report: Transcript
[00:00]
Rudyard Kipling is a helpful way to remember what to include, but first a reminder: if writing incident reports is part of your job, it matters that you do it well.
[00:11]
Incident reports often support legal or civil proceedings. They are also how teams learn and improve. If we do not write them, we lose the opportunity to learn.
[00:32]
So what should go into the report? Record your name, when you are writing the report, when the incident took place, and where it happened. Then set out what happened, the impact, what you did as a result, who you notified, and any lessons learned.
[01:08]
Where should you write the report? It does not matter at first. Get the initial facts down quickly. Use a scrap of paper, a phone, or whatever you have. Later, when you are back at a desk, write up the formal incident report.
[01:35]
When should you write it? Deal with the incident first. Do not start a report while someone needs help or a situation is escalating. Stabilise the incident, then write a brief preliminary report. A fuller report can follow in the next few days after further checks.
[02:13]
How should you write it? Use a simple timeline. Set out the events in chronological order: this happened, then this, then this. Do not write a story or guess at motives. Avoid assumptions and stick to what you observed.
[02:49]
If you made a mistake, be honest. Accuracy and honesty matter more than pride. Record what happened as it happened.
[03:17]
Who should write the report? It varies. Some roles have this responsibility. It might be a director, head of security, supervisor, or the first responder. If there are witnesses, they may need to give statements. You may also receive reports from emergency services to review.
[03:55]
If you found this helpful or have questions, leave a comment or get in touch.
[04:06]
Thanks for watching.
Contents
- What to write in a security incident report
- When to write the report
- Where to write the report
- Who should write the report
- How to write a good security incident report
- Why write a security incident report
Short on time?
If you’re short on time then use the below summary:
What to write down in security incident report: Who you are, date, time and location. Then add what happened, what’s the impact of the incident, what you’ve done as a result and who you’ve told about the incident. Later, add lessons learnt.
When to write the report: Do not make the report the priority, deal with the incident first. Then write a preliminary, summary report. In next few days, write a full detailed report.
Where to write the report: Write information wherever you can safely store it. Later, add it to a formal incident report template. The report can be written at the scene or at a desk. Make sure handwriting is legible.
Who should write the report: Often, the person who finds the incident makes a report, which may be followed-up by someone else. Speak to witnesses. Only authorised people should view the report.
How to write the report: Use facts, not fiction, avoid stories or assumptions. Write events in a time, chronological order. Be honest, even if you’re not proud of your actions.
Why write a security incident report: We can only learn from security incidents if a report is made. They can also form an important part of legal proceedings.
What is a security incident report?
A security incident report is an account of an untoward security event. For example, theft, assault and anti-social behaviour. But, they may also include non-physical incidents such as a cyber security breach. Incidents reports can be hand written or entered online using software such as our Incident and event reports feature.
Security incident report template PDF
Security incident report template Word
What to write in a security incident report
A security guard should write the following in a security incident report, it’s split onto two parts.
Part 1)
As soon as possible after the security incident record:
- Orientation: Kind of security incident, its time, date and location. For example, theft at 10:59 2 January 2024, West Wing.
- Incident description: Details about what happened, who was involved and relevant details. For example, female customer had purse stolen by the assailant, a hooded man, who ran north into the high street.
- Affected systems/resources: Was anything impacted by the security incident. For example, the assailant damaged the north emergency exit door while running away.
- Impact assessment: What were the consequences of the security incident? For example, the emergency exit door set-off an alarm and local retailers began to evacuate.
- Response actions taken: What actions were taken immediately after the incident. For example, security officer was posted to the damaged emergency exit and the customer was taken to our local canteen.
- Notification: List who has been notified about the incident. For example, the police were called about the theft and my security manager was told immediately.
- Evidence and documentation: Reference or add any relevant evidence. For example, list CCTV footage relevant to the theft.
- Your details: Add your name and contact details to the security incident report form.
Part 2)
Follow-up the security incident in next few days and write:
- Follow-up actions: List any ongoing or future actions that will be taken to address the incident. For example, security guards will now patrol the location of the theft every hour.
- Lessons learnt: Note lessons learnt and how similar incidents can be prevented in the future. For example, notices are now displayed in the area warning customers about thefts.
- Recommendations: Provide recommendations for improving security. For example, more security officers should be sent to the area
- Add details of you and any authorising parties: Add your name and contact details to the security incident report form. Add the name and contact details of anyone who has approved the report.
See proof in practice in the DLR real-time reporting case study:
Sample incident report template
[Organisation Name]
[Address]
[City, postcode]
[Phone number]
[Date of incident report]
Security Incident Report
- Incident Details:
Date and time of incident: [Date] [Time]
Location of incident: [Location]
Incident Type: [e.g., Unauthorised Access, Data Breach, Theft]
Incident Severity: [Low, Moderate, High, Critical]
- Incident description:
Provide a detailed description of the incident, including what happened, who was involved, and any relevant circumstances leading up to the incident.
- Affected systems/resources:
List all systems, equipment, or resources that were affected by the incident.
- Impact assessment:
Describe the impact of the incident, including potential data loss, system downtime, financial loss, or other consequences.
- Response actions taken:
Outline the actions taken immediately after discovering the incident, including any security measures implemented to reduce further damage.
- Notification:
Indicate whether law enforcement, regulatory authorities, or affected parties were notified, and provide details on the individuals or organisations contacted.
- Evidence and documentation:
Attach any relevant evidence, logs, or documentation that supports the incident report. Include witness statements, security camera footage, or system logs, if applicable.
- Follow-up actions:
List any ongoing or future actions that will be taken to address the incident, including security improvements, policy changes, or training initiatives.
- Lessons learned:
Discuss what lessons were learned from the incident and how similar incidents can be prevented in the future.
- Recommendations:
Provide any recommendations for improving security or preventing similar incidents in the future.
- Incident Reporting Personnel:
Name: [Your Name]
Title: [Your Title]
Contact Information: [Your Phone Number]
Email: [Your Email Address]
- Approval:
[Signature of Supervisor or Security Officer]
Name: [Supervisor/Security Officer Name]
Title: [Supervisor/Security Officer Title]
I keep six honest serving-men (they taught me all I knew). Their names are what and why and when and how and where and who.
How to remember what to write
What to write in a security incident report it simple, just remember these six prompts:
- What happened?
- Where did it happen?
- Why did it happen?
- Who was involved or witnessed the incident?
- When did it happen?
- How did it happen?
A great way to remember these six prompts is Rudyard Kipling’s poem ‘Six Honest Serving Men’.
2) When to write the report
Because memories fade it’s important to write a security incident report while it’s fresh in the mind. For this reason, often incident reports are made in two stages:
- Initial, preliminary report, written straight after the security incident
- Full report, written over next few days
By publishing the preliminary report straight after the incident you quickly make interested parties aware of it. A full report is likely to be more comprehensive than a preliminary report.
The report is not the priority
Make a report only if it is not a distraction from an ongoing incident. Prioritise the incident on site, then make an entry. For example, if there’s a protest on site, attend immediately to the incident rather than the report.
If, for whatever reason, you do not have time to complete a full entry, make an abbreviated report and complete as soon as possible. For example, if it is the end of shift and an incident occurs, you may not have time to complete a full entry. In this instance, make an abbreviated entry and complete when next on shift.
3) Where to write the security incident report
Many people write their report at the location of the incident, ‘in the field’.
In the first instance, you can record the incident using any storage device for example, an audio or video recording may be appropriate. It’s important to capture information while it’s fresh in people’s minds. If that means you need to write on a napkin and write-up the report later, that’s fine.
Most report writers will use paper or digital form enhanced by media to publish their findings.
Paper and digital reports
Paper or digital reports are used to record security incidents. But, if paper ensure a permanent ink is used to make entries. Do not use a pencil because it’s is easily erased and fades over time.
Handwriting and legibility
Many people’s handwriting is difficult to read (I know mine is). Therefore, to avoid this problem many people will use software. However, if paper is used it is important your handwriting is legible. Consider using CAPITAL LETTERS. Because capital letters slows down writing and makes each letter easier to read.
Spelling
If you use a digital report your text will be automatically checked for spelling errors. However, if you are using a paper book remember:
- A security incident report is not a writing test, do not get anxious
- If uncertain about spelling use a dictionary.
Made a mistake?
If you or someone else makes a mistake on paper do not score through or mark out the error. Make a reference to the error and then add the correction elsewhere.
Here at SIRV we use a versioning system. Therefore, no entry is ever deleted but new versions are updated. This means there is a full audit trail of changes made.
ELBOW
If you use paper, then ELBOW is a useful acronym for some basic rules.
Do not:
- Erase. Do not rub out or score through mistakes. Initial the error and make another entry.
- Leaves should not be torn out of a book. Even if the page has only one entry. Any errors should be initialed and explained.
- Blank spaces are not helpful. Because if your book has a reference coding system, any spaces will make the system hard to follow. Avoid blank spaces and use all the lines in the book.
- Overwriting is difficult to read and destroys previous entries. Do not overwrite.
- Writing between lines makes reading difficult. Do not write between lines.
4) Who should write the report?
In some organisations to write a report needs special permission (regardless of whether they attended the incident scene). If you write the report it’s important you gather information from other people involved in the incident.
This may mean talking to people at the scene and other related parties. Security incidents will often be the result of a chain of events, some of which may not be obvious at first.
Security incident report software can limit who accesses an incident report.
Who should view the reports?
Reports may include sensitive information. Therefore, it’s important access is restricted.
Cyber incidents can often be recorded by any staff member. Security guards have special software to record incident reports. For example. the daily occurrence book or incident report forms.
Often only security personnel can view reports. For example, software will use permission based access. However, viewing rights may be extended to non-security personnel.
5) How to write a good security incident report
Report writing is a skill to develop over time. A well written report is easy to follow, objective and truthful. Here’s how to become a better report writer.
Order
Write the security incident report in a chronological order and detail events in a time sequence from the past to present.
Facts not Fiction
Record the facts rather than a story or narrative. For example, imagine you’re out walking and discover an injured person lying in the street. You spot someone running away from the scene. Many people would assume the runner is the assailant (this is what we see in movies all the time). However, the runner could be someone running for help.
We are tempted to assume the runner is responsible for the person’s injuries because this is a familiar story. However, report writing is not story telling. Record the incident as you find it, don’t apply judgments. Use the same rule when taking witness statements.
No Lies
Be honest, even if you’re not proud of your actions.
6) Why write a security incident report
An incident report helps us learn from our mistakes and make the world a better place. By simply writing down the sequence of events we are creating an external account that can aid legal or civil proceedings. Incident report software such as, SIRV helps with this process.
A security report can appear daunting and time consuming but it’s a hugely valuable exercise. Everyone from manager to CEO could benefit from the report you write.
Frequently asked questions
What is a security incident report?
A written account of an untoward event, for example theft, assault or anti-social behaviour. It may also cover non-physical incidents such as a cyber breach.
What should a security incident report include?
Your details, date, time and location, a factual description, affected systems or resources, impact, immediate actions, who was notified, evidence references and follow-up actions, lessons learned and recommendations.
When should I write the report?
Deal with the incident first. Submit a brief preliminary report as soon as practical, then a full detailed report within the next few days.
Who should write the report and who can view it?
Usually the first responder writes the initial entry and a supervisor or investigator may add detail. Only authorised personnel should access the report.
How do I write a good report?
Use facts not fiction, avoid assumptions, write in chronological order and be honest. If using paper, write legibly in permanent ink and follow basic rules like avoiding overwriting.
Where should I write and store reports?
Capture details wherever safe and then use a formal template. Store securely with restricted access and version control so changes are fully auditable.
Is there a Word or PDF incident report template?
Yes. This guide provides downloads for both Word and PDF templates to adapt to your organisation.
Does this relate to Martyn’s Law?
A clear incident reporting process supports readiness and audit, which will help organisations subject to the Protect Duty meet their obligations.
"SIRV helped us move beyond basic reporting into a system that actively supports decision-making". Les O'Gorman, Director of Facilities, UCB - Pharma and Life Sciences
