After previous incidents (or near-misses), are lessons documented and acted on?
Demonstrate that the organization systematically documents lessons learned from security incidents and near-misses, and implements corrective actions that result in measurable improvements to security controls, processes, or detection capabilities.
Description
What this control does
This control ensures that organizations systematically capture lessons learned from security incidents and near-miss events, document them in a structured format, and implement corrective and preventive actions. The process typically involves post-incident review meetings, root cause analysis, documentation of findings in an incident knowledge base, and tracking of remediation tasks through completion. Effective implementation prevents recurrence of similar incidents, improves detection capabilities, and continuously strengthens the security posture based on real-world experience rather than theoretical threats alone.
Control objective
What auditing this proves
Demonstrate that the organization systematically documents lessons learned from security incidents and near-misses, and implements corrective actions that result in measurable improvements to security controls, processes, or detection capabilities.
Associated risks
Risks this control addresses
- Repeated exploitation of the same vulnerability or attack vector due to failure to remediate root causes after initial compromise
- Missed opportunity to detect similar attack patterns early because indicators of compromise were not integrated into monitoring systems
- Organizational knowledge loss when incident responders leave without documented lessons, forcing teams to re-learn from future incidents
- Failure to address systemic weaknesses in security controls, processes, or configurations that enabled the initial incident
- Regulatory penalties or liability exposure from demonstrating negligence through repeated similar incidents without corrective action
- Resource waste responding to preventable incidents that could have been mitigated through implemented lessons learned
- Erosion of stakeholder confidence when the organization fails to improve after publicly disclosed or customer-impacting security events
Testing procedure
How an auditor verifies this control
- Obtain the incident register or ticketing system records for the past 12-24 months and identify all closed security incidents and documented near-miss events
- Select a representative sample of 5-10 incidents spanning different severity levels, including at least one high-severity incident and one near-miss event
- For each sampled incident, retrieve the post-incident review documentation, lessons learned reports, or after-action reviews
- Verify that each lessons learned document includes root cause analysis, timeline of events, identified control gaps, and specific recommended actions with assigned owners
- Cross-reference documented recommendations against change management records, vulnerability remediation tickets, policy updates, or configuration changes to verify implementation
- Interview incident response personnel and ask them to describe how specific past incidents influenced current detection rules, playbooks, or security controls
- Review security monitoring configurations, SIEM rules, or threat intelligence feeds to confirm integration of indicators of compromise or attack patterns from documented incidents
- Examine metrics or KPIs tracking repeat incidents to determine whether similar incidents have decreased following implementation of lessons learned