Security Incident Report – Ultimate How to Guide

Security incident reports are crucial to a successful operation. This article is the ultimate how to guide. We’ll answer common questions, such as: what to put in an security incident report, how to deal with mistakes and when to write one a security incident report.

Security incident report creation

What is a security incident report?

 A security incident report is an account of an untoward event. Often we associate it with injuries and accidents involving people. However, they’re also a record of other negative events. For example, cyber security breaches. 

What to write

What to write in a security incident report it simple, just remember these six prompts:

  • What happened?
  • Where did it happen?
  • Why did it happen?
  • Who was involved or witnessed the incident?
  • When did it happen?
  • How did it happen?

Back in 1900 Rudyard Kipling wrote a great poem: Six Honest Serving Men. We love to commit to memory the below extract.

I keep six honest serving-men (they taught me all I knew). Their names are what and why and when and how and where and who.

Rudyard Kipling

2) When to write the report

Because memories fade it’s important to write a security incident report while it’s fresh in the mind. For this reason, often incident reports are made in two stages:

  • Preliminary report, written straight after the incident.
  • Full report, written over the next few days.

By publishing the preliminary report straight after the incident you quickly make interested parties aware of it. A full report is likely to be more comprehensive than a preliminary report.

The report is not the priority

Make a report only if it is not a distraction from an ongoing incident. Prioritise the incident on site, then make an entry.

If, for whatever reason, you do not have time to complete a full entry, make an abbreviated report and complete as soon as possible. For example, if it is the end of shift and an incident occurs, you may not have time to complete a full entry. In this instance, make an abbreviated entry and complete when next on shift.

3) Where to write the security incident report

Many people write their report at the location of the incident, ‘in the field’.

In the first instance you can record the incident using any storage device for example, an audio or video recording may be appropriate. It’s important to capture information while it’s fresh in people’s minds. If that means you need to write on a napkin and write-up the report later, that’s fine.

Most report writers will use paper or digital form enhanced by media to publish their findings.

Paper and digital reports

Paper or digital reports are used to record security incidents. But, if paper ensure a permanent ink is used to make entries. Do not use a pencil because it’s is easily erased and fades over time. 

Handwriting and legibility

Many people’s handwriting is difficult to read (I know mine is). Therefore, to avoid this problem many people will use software. However, if paper is used it is important your handwriting is legible. Consider using CAPITAL LETTERS. Because capital letters slows down writing and makes each letter easier to read.


If you use a digital report your text will be automatically checked for spelling errors. However, if you are using a paper book remember:

  • A security incident report is not a writing test, do not get anxious.
  • Use a dictionary if uncertain about how to spell a word.

Made a mistake?

If you or someone else makes a mistake on paper do not score through or mark out the error. Make a reference to the error and then add the correction elsewhere.

Here at SIRV we use a versioning system. Therefore, no entry is ever deleted but new versions are updated. This means there is a full audit trail of changes made.


If you use paper, then ELBOW is a useful acronym for some basic rules.

Do not:

  • Erase. Do not rub out or score through mistakes. Initial the error and make another entry.
  • Leaves should not be torn out of a book. Even if the page has only one entry. Any errors should be initialed and explained.
  • Blank spaces are not helpful. Because if your book has a reference coding system, any spaces will make the system hard to follow. Avoid blank spaces and use all the lines in the book.
  • Overwriting is difficult to read and destroys previous entries. Do not overwrite.
  • Writing between lines makes reading difficult. Do not write between lines.

4) Who should write the report?

In some organisations to write a report needs special permission (regardless of whether they attended the incident scene). If you write the report it’s important you gather information from other people involved in the incident.

This may mean talking to people at the scene and other related parties. Security incidents will often be the result of a chain of events, some of which may not be obvious at first.

Security incident report software can limit who accesses an incident report.

Who should view the reports?

Reports may include sensitive information. Therefore, it’s important access is restricted.

Cyber incidents can often be recorded by any staff member. Security guards have special software to record incident reports. For example. the daily occurrence book or incident report forms

Often only security personnel can view reports. For example, software will use permission based access. However, viewing rights may be extended to non-security personnel.

5) How should you write the security incident report?

Report writing is a skill developed over time. A well written report is easy to follow, objective and truthful. Here’s how to become a better report writer.


Write the security incident report in a chronological order and detail events in a time sequence from the past to present.

Facts not Fiction

Record the facts rather than a story or narrative. For example, imagine you’re out walking and discover an injured person lying in the street. You spot someone running away from the scene. Many people would assume the runner is the assailant (this is what we see in movies all the time). However, the runner could be someone running for help.

We are tempted to assume the runner is responsible for the person’s injuries because this is a familiar story. However, report writing is not story telling. Record the incident as you find it, don’t apply judgments. Use the same rule when taking witness statements.

No Lies

Be honest, even if you’re not proud of your actions.

6)Why write a security incident report

An incident report helps us learn from our mistakes and make the world a better place. By simply writing down the sequence of events we are creating an external account that can aid legal or civil proceedings. Incident report software helps with this process.

A security report can appear daunting and time consuming but it’s a hugely valuable exercise. Everyone from manager to CEO could benefit from the report you write.