Are post-incident lessons-learned captured and acted on?
Demonstrate that the organization systematically captures, documents, and implements improvements identified during post-incident reviews to prevent recurrence and strengthen incident response capabilities.
Description
What this control does
Post-incident lessons-learned is a structured process that captures findings, root causes, and improvement opportunities following security incident resolution. Organizations conduct formal review sessions with incident response team members and stakeholders, document observations in standardized reports, and track remediation actions through completion. This control ensures that each incident strengthens the organization's security posture by converting operational experience into actionable process, technical, and procedural improvements.
Control objective
What auditing this proves
Demonstrate that the organization systematically captures, documents, and implements improvements identified during post-incident reviews to prevent recurrence and strengthen incident response capabilities.
Associated risks
Risks this control addresses
- Repeated exploitation of the same vulnerability or attack vector due to failure to address root causes identified in prior incidents
- Incident response procedures remain ineffective because gaps and delays identified during real incidents are not corrected
- Detection capabilities fail to improve, allowing similar attacks to evade monitoring because lessons about blind spots are not acted upon
- Coordination failures recur across teams because communication breakdowns identified in past incidents are never remediated
- Resource allocation remains misaligned with actual threat patterns because incident data is not systematically analyzed for trends
- Compliance violations repeat because process deficiencies that enabled security incidents are not documented or corrected
- Organizational learning atrophies as incident responders depart, taking undocumented knowledge of attack patterns and response effectiveness with them
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's incident response policy and procedures to identify documented requirements for conducting post-incident lessons-learned reviews
- Request a complete inventory of security incidents from the past 12 months, including incident IDs, severity classifications, and closure dates
- Select a representative sample of 5-8 incidents spanning different severity levels and incident types for detailed examination
- For each sampled incident, obtain the corresponding lessons-learned report or post-mortem document and verify it contains root cause analysis, timeline reconstruction, response effectiveness assessment, and improvement recommendations
- Review meeting invitations, attendance records, or interview notes confirming that formal lessons-learned sessions were conducted with appropriate stakeholders within defined timeframes after incident closure
- Examine the corrective action tracking system or issue management platform to verify that recommendations from lessons-learned reports were converted into trackable remediation tasks with assigned owners and due dates
- Trace a subset of remediation actions to completion by reviewing change tickets, policy updates, configuration modifications, training records, or other evidence demonstrating implementation
- Interview incident response team leads to assess whether lessons-learned findings have been incorporated into updated runbooks, detection rules, escalation procedures, or training materials