Security incident report –  How to guide in 6 steps

Security incident reports – how to guide in 6 steps – is for security guards who want to follow best practice.

We’ll look at why it’s important to write a report, what should be in your report and things to avoid.

How to write a security incident report - ultimate how to guide in 6 steps
How to write an incident report: Transcript

0:00 Kippling. write one, it’s quite possibly your job. It’s possibly part of your job and therefore you need to write an instant report. 0:11 Number two, very often for legal proceedings, civil criminal proceedings, claims, instant reports for an important part of that investigation. So well worth knowing how to and then finally, how and earth are we going to learn and get better if we don’t write instant reports? 0:32 It’s key for us to gain a learning opportunity from, so we need to write instant reports. What then should go into our instant report? 0:44 Well, it’s important that you note down in the Insta Report, your name, when you’re writing the report, when the Insta Report took place, where the Insta itself took place, and then other things such as the events that unfolded and lastly what impact it has and lessons learned. 1:08 Where should you write the Insta Report? Good question, it honestly doesn’t really matter that much. What is important is that you get your initial findings down. 1:19 You can use a scrap piece of paper for this. You can use a napkin. You can use your phone. Get the information recorded in the first place. 1:27 And then perhaps when you get back to the office and front of the PC or the tablet, that’s when you can write up your instant report. 1:35 When should you write the instant report? Well, hold on. First, we should actually deal with the incident itself. don’t go writing out an instant report if someone is in trouble or you’ve got a leak which looks like it could turn into a flood. 1:51 First things first, deal with the incident and then secondly think about writing the report. Often it’s the case that people will have an initial findings report that comes first and then a few days later after perhaps further investigations, a full comprehensive report will be filed. 2:13 How then to write the Institute of Report? Good question. How do we write the Institute of Report and over to the vital hand side here? 2:19 We’ve got to help. Now, this little timeline shows us what we should be doing. We should be thinking about, in our Institute of Report, what happened to particular events in chronological order? 2:32 It’s important that we write down this happened. then this event. What we don’t do is write a perfect piece of fiction or a fantastic story saying this happened and then this bloke hit this bloke because that bloke looked a certain way. 2:49 That is not what we are about here. We are writing into the report. We are not assuming why things happened. 2:55 We are just writing about what happened and in a certain order. And be mindful. Even if you committed an act which you’re not particularly proud of, perhaps you didn’t perform to the best of your ability, it doesn’t matter. 3:09 What’s important is your honest and your true and that goes into the instant report. It’s self. Who should write the instant report? 3:17 Well, again, it doesn’t really matter that much. Some people have unique skills and perhaps it’s their responsibility to write the report. 3:25 those people will then be assigned the task, however, you might find different people writing a report, it might be a director, head of security, your supervisor, it might be you yourself writing the report. 3:38 Whoever writes the report, if there are witnesses involved, it’s likely the witnesses will also need to be interviewed and it’s entirely possible you will receive other instant reports that you might wish to review from people like the emergency services. 3:55 If you found this particular video helpful, all you have any comments, go ahead, comments in the comments section or perhaps get in touch. 4:06 Thanks for watching.

What to write down in security incident report: Who you are, date, time and location.  Then add what happened, what’s the impact of the incident, what you’ve done as a result and who you’ve told about the incident. Later, add lessons learnt.

When to write the report: Do not make the report the priority, deal with the incident first. Then write a preliminary, summary report. In next few days, write a full detailed report.

Where to write the report: Write information wherever you can safely store it. Later, add it to a formal incident report template. The report can be written at the scene or at a desk. Make sure handwriting is legible.

Who should write the report: Often, the person who finds the incident makes a report, which may be followed-up by someone else. Speak to witnesses. Only authorised people should view the report.

How to write the report: Use facts, not fiction, avoid stories or assumptions. Write events in a time, chronological order. Be honest, even if you’re not proud of your actions.

Why write a security incident report: We can only learn from security incidents if a report is made. They can also form an important part of legal proceedings.

What is a security incident report?

A security incident report is an account of an untoward security event. For example, theft, assault and anti-social behaviour. But, they may also include non-physical incidents such as a cyber security breach. Incidents reports can be hand written or entered online using software such as our Incident and event reports feature. 

Security incident report template PDF

Security incident report template Word

What to write in a security incident report

A security guard should write the following in a security incident report, it’s split onto two parts.

Part 1)

As soon as possible after the security incident record:

  1. Orientation: Kind of security incident, its time, date and location. For example, theft at 10:59 2 January 2024, West Wing.
  2. Incident description: Details about what happened, who was involved and relevant details. For example, female customer had purse stolen by the assailant, a hooded man, who ran north into the high street.
  3. Affected systems/resources: Was anything impacted by the security incident. For example, the assailant damaged the north emergency exit door while running away.
  4. Impact assessment: What were the consequences of the security incident? For example, the emergency exit door set-off an alarm and local retailers began to evacuate.
  5. Response actions taken: What actions were taken immediately after the incident. For example, security officer was posted to the damaged emergency exit and the customer was taken to our local canteen.
  6. Notification: List who has been notified about the incident. For example, the police were called about the theft and my security manager was told immediately.
  7. Evidence and documentation: Reference or add any relevant evidence. For example, list CCTV footage relevant to the theft.
  8. Your details: Add your name and contact details to the security incident report form.

Part 2)

Follow-up the security incident in next few days and write:

  1. Follow-up actions: List any ongoing or future actions that will be taken to address the incident. For example, security guards will now patrol the location of the theft every hour.
  2. Lessons learnt: Note lessons learnt and how similar incidents can be prevented in the future. For example, notices are now displayed in the area warning customers about thefts.
  3. Recommendations: Provide recommendations for improving security. For example, more security officers should be sent to the area
  4. Add details of you and any authorising parties: Add your name and contact details to the security incident report form. Add the name and contact details of anyone who has approved the report.

Sample incident report template

[Organisation Name]


[City, postcode]

[Phone number]

[Date of incident report]

Security Incident Report

  1. Incident Details:

Date and time of incident: [Date] [Time]

Location of incident: [Location]

Incident Type: [e.g., Unauthorised Access, Data Breach, Theft]

Incident Severity: [Low, Moderate, High, Critical]

  1. Incident description:

Provide a detailed description of the incident, including what happened, who was involved, and any relevant circumstances leading up to the incident.

  1. Affected systems/resources:

List all systems, equipment, or resources that were affected by the incident.

  1. Impact assessment:

Describe the impact of the incident, including potential data loss, system downtime, financial loss, or other consequences.

  1. Response actions taken:

Outline the actions taken immediately after discovering the incident, including any security measures implemented to reduce further damage.

  1. Notification:

Indicate whether law enforcement, regulatory authorities, or affected parties were notified, and provide details on the individuals or organisations contacted.

  1. Evidence and documentation:

Attach any relevant evidence, logs, or documentation that supports the incident report. Include witness statements, security camera footage, or system logs, if applicable.

  1. Follow-up actions:

List any ongoing or future actions that will be taken to address the incident, including security improvements, policy changes, or training initiatives.

  1. Lessons learned:

Discuss what lessons were learned from the incident and how similar incidents can be prevented in the future.

  1. Recommendations:

Provide any recommendations for improving security or preventing similar incidents in the future.

  1. Incident Reporting Personnel:

Name: [Your Name]

Title: [Your Title]

Contact Information: [Your Phone Number]

Email: [Your Email Address]

  1. Approval:

[Signature of Supervisor or Security Officer]

Name: [Supervisor/Security Officer Name]

Title: [Supervisor/Security Officer Title]

Date: [Date of Approval]

I keep six honest serving-men (they taught me all I knew). Their names are what and why and when and how and where and who.

Rudyard Kipling

How to remember what to write

What to write in a security incident report it simple, just remember these six prompts:

  • What happened?
  • Where did it happen?
  • Why did it happen?
  • Who was involved or witnessed the incident?
  • When did it happen?
  • How did it happen?

A great way to remember these six prompts is Rudyard Kipling’s poem ‘Six Honest Serving Men’.

2) When to write the report

Because memories fade it’s important to write a security incident report while it’s fresh in the mind. For this reason, often incident reports are made in two stages:

  • Initial, preliminary report, written straight after the security incident
  • Full report, written over next few days

By publishing the preliminary report straight after the incident you quickly make interested parties aware of it. A full report is likely to be more comprehensive than a preliminary report.

The report is not the priority

Make a report only if it is not a distraction from an ongoing incident. Prioritise the incident on site, then make an entry. For example, if there’s a protest on site, attend immediately to the incident rather than the report.

If, for whatever reason, you do not have time to complete a full entry, make an abbreviated report and complete as soon as possible. For example, if it is the end of shift and an incident occurs, you may not have time to complete a full entry. In this instance, make an abbreviated entry and complete when next on shift.

When to write a security incident report

3) Where to write the security incident report

Many people write their report at the location of the incident, ‘in the field’.

In the first instance, you can record the incident using any storage device for example, an audio or video recording may be appropriate. It’s important to capture information while it’s fresh in people’s minds. If that means you need to write on a napkin and write-up the report later, that’s fine.

Most report writers will use paper or digital form enhanced by media to publish their findings.

Paper and digital reports

Paper or digital reports are used to record security incidents. But, if paper ensure a permanent ink is used to make entries. Do not use a pencil because it’s is easily erased and fades over time.

Handwriting and legibility

Many people’s handwriting is difficult to read (I know mine is). Therefore, to avoid this problem many people will use software. However, if paper is used it is important your handwriting is legible. Consider using CAPITAL LETTERS. Because capital letters slows down writing and makes each letter easier to read.


If you use a digital report your text will be automatically checked for spelling errors. However, if you are using a paper book remember:

  • A security incident report is not a writing test, do not get anxious
  • If uncertain about spelling use a dictionary.

Made a mistake?

If you or someone else makes a mistake on paper do not score through or mark out the error. Make a reference to the error and then add the correction elsewhere.

Here at SIRV we use a versioning system. Therefore, no entry is ever deleted but new versions are updated. This means there is a full audit trail of changes made.


If you use paper, then ELBOW is a useful acronym for some basic rules.

Do not:

  • Erase. Do not rub out or score through mistakes. Initial the error and make another entry.
  • Leaves should not be torn out of a book. Even if the page has only one entry. Any errors should be initialed and explained.
  • Blank spaces are not helpful. Because if your book has a reference coding system, any spaces will make the system hard to follow. Avoid blank spaces and use all the lines in the book.
  • Overwriting is difficult to read and destroys previous entries. Do not overwrite.
  • Writing between lines makes reading difficult. Do not write between lines.

Who should write a security incident report - ultimate how to write a security incident report

4) Who should write the report?

In some organisations to write a report needs special permission (regardless of whether they attended the incident scene). If you write the report it’s important you gather information from other people involved in the incident.

This may mean talking to people at the scene and other related parties. Security incidents will often be the result of a chain of events, some of which may not be obvious at first.

Security incident report software can limit who accesses an incident report.

Who should view the reports?

Reports may include sensitive information. Therefore, it’s important access is restricted.

Cyber incidents can often be recorded by any staff member. Security guards have special software to record incident reports. For example. the daily occurrence book or incident report forms.

Often only security personnel can view reports. For example, software will use permission based access. However, viewing rights may be extended to non-security personnel.

Eject people procedure guide shows happy security officer/guard

5) How to write a good security incident report

Report writing is a skill to develop over time. A well written report is easy to follow, objective and truthful. Here’s how to become a better report writer.


Write the security incident report in a chronological order and detail events in a time sequence from the past to present.

Facts not Fiction

Record the facts rather than a story or narrative. For example, imagine you’re out walking and discover an injured person lying in the street. You spot someone running away from the scene. Many people would assume the runner is the assailant (this is what we see in movies all the time). However, the runner could be someone running for help.

We are tempted to assume the runner is responsible for the person’s injuries because this is a familiar story. However, report writing is not story telling. Record the incident as you find it, don’t apply judgments. Use the same rule when taking witness statements.

No Lies

Be honest, even if you’re not proud of your actions.

Why write a security incident report - ultimate 6 step guide to write an incident report

6) Why write a security incident report

An incident report helps us learn from our mistakes and make the world a better place. By simply writing down the sequence of events we are creating an external account that can aid legal or civil proceedings. Incident report software such as, SIRV helps with this process.

A security report can appear daunting and time consuming but it’s a hugely valuable exercise. Everyone from manager to CEO could benefit from the report you write.

Looking for a way to record your reports?

We’ve got you covered – get in touch

Daily occurrence entry in SIRV show date and time, location as well as name of user, detail about occurrence and sign off password

SIRV email list subscribe

Get great content straight to your inbox

Join our mailing list to receive the latest news and updates from our team.

GDPR Consent

Terms and Conditions

You have Successfully Subscribed!