Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Academy home
Incident management summary in Cyberday

Incident management in Cyberday means for example being able to detect, respond to and analyze security incidents efficiently. Good incident management involves e.g. having clear tasks related to incident detection and response, systematically documenting happened incidents and instructing employees in being active on incident reporting.

How does Cyberday help you?

All of those above mentioned different steps in incident management can be handled directly in Cyberday. In the following paragraphs, we will show you how you can approach incident management in Cyberday.

Employee incident reporting

Your employees can report incidents directly via their own Guidebook. The incident will automatically move to your incident documentation and the admin/the owner of the task will get notified right away. Read more about how to activate the incident reporting feature, how the feature works for your employees and how you will be notified when an incident has been reported in our help article about the incident reporting feature.

Incident reporting notifications

Where to find this view: Dashboard -> Theme "incident management"-> documentation -> security incidents

Immediate notifications can be a game changer when it comes to quick reactions in the case of an incident. Therefore, the admins selected for the incident management section will receive an immediate notification (i.e. via MS Teams or Slack, if the integration is activated) once an incident is reported. You can find the incident notification in Cyberday from the theme "Incident management" in the organisation dashboard. Click on the theme and then click on "security incidents" on the right.

Open "Security incidents" and you will get to a documentation list with all of the reported incidents. You can select multiple list owners to be notified (see screenshot below). By clicking on an incident from the list, you can click on it to see the details and accept it to keep it in the incident list and continue to the treatment. Once you have accepted the incident, you have to fill in more information, i.e. how critical that incident is for your organisation and and how it will be treated.

Incident reporting workflows in Cyberday

In your incident documentation, you can follow a specific workflow to make your incident treatment as efficient as possible. You can see (and filter by) the different incident workflow stages in the top section above the incident documentation list.

The workflow looks as the following:

  1. Detection
  2. Described
  3. Effects
  4. Improvements
  5. Closed


The detection phase means for example receiving the notification of the incident. Once an incident has been reported by an employee, the owner will automatically receive the notification and the incident will be listed as detected in the incident documentation list.


Once an incident has been approved, the owner can start working with it. Click on the incident in the documentation list and a new view with more information about the incident will open. For this step, fill in the information about the incident and make sure the owner and the priority are set. Answer the questions and fill in the information under "01 What was the type of incident". Once you have filled the information, make sure to mark the part as completed. The status of the incident then will automatically update as "described".


Choose the effects in the second part of the documentation card. Are they having a low, average or high effect on the organization? Are the fixes of the incident rather urgent? Once the effects are evaluated, mark the part as done and the incident will automatically move to the status "Effects".


Once the incident has been identified and assessed, measures must be decided both to manage the disturbance immediately and to avoid similar incidents in the longer term. Describe the improvements, which are planned in order to prevent similar kind of incidents in the future in the third section of the documentation card. Once this is marked as done, the incident will automatically be moved to the status "Improvements".


To finish and close an incident, make sure all of the measures and improvements are reviewed and implemented. Once everything is in place and the effects are treated, the incident can be marked as closed and the workflow is finished.

Preparing and training your employees

Where to find this view: Dashboard -> Theme "incident management"-> guidelines

You can create specific guidelines for incident management in Cyberday. Those guidelines can be specifically directed to specific units, if needed. Note: You should create a guidelines for all of your employees to make sure there are instructions on how to act in the case of an incident. Under "Guidelines" in the theme "Incident management", you can find a collection of ready-to-use guideline (template) suggestions. You can activate the guidelines as they are, adapt them or create your very own guidelines. For each guideline, you can further add case examples or skill tests, if you would like deepen the awareness of your employees even further.

Incident management policy and tasks

Where to find this view: Dashboard -> Theme "incident management"

From the themes in your Organization Dashboard, you can find the theme "Incident management". Open that theme to access the list of your incident management policies and documentation. Once you have opened the theme, you will find the following view, including the list of policies, tasks, documentation, reports and all of the connected guidelines.

Open the tasks of the incident management theme either by opening each of the policies and activating the suggested tasks individually or by clicking "tasks" on top of the policies. In that overview, you will find all of the tasks related to this theme (and your framework selection) grouped by priority. You can activate the tasks in bulk. Assign the tasks to the members of your key security team to ensure those will be handled.

Where to find this view: Dashboard -> Theme "incident management"-> tasks

Each tasks requires the input of more information, including a description of how this task is being handled. We are providing example texts/templates for you to adapt to your needs for most of our tasks. Remember: The person(s) you set as owner for incident management will get notified in the case of an incident. Therefore it is crucial to set responsible persons.

This is how a task may look like  when you start with the working process. If you click on the "Example available" or start with the process description, you will see the following view:
Either write your own description or use and adapt our example text. This saves you time and effort.

Incident treatment workflow and documentation

Where to find this view: Dashboard -> Theme "incident management"-> documentation

The documentation of the incident management theme includes different topics, such as incident management and response (with risk management, awareness training for the employees, continuity plans, etc.) or personal data breaches. You can also get directed to the non-conformities, which are a related theme (use the link "Nonconformities" on the right side. If you have other related documentation items from other themes, they will appear there too.

Each of the documentation items has its own list, if you click on it. If you open for example "Continuity plans", you will get to your documentation list of continuity plans. There, you can click on each of the items listed separately, in order to get a more detailed view of each documentation item.


Where to find this view: Dashboard -> Theme "incident management"-> reports

You can also create incident management reports under the tab "Reports". Those reports work just like any other report in Cyberday and is automatically created for you from the information, the software is fetching from the related tasks and documentation items. The report includes different elements, such as the following exammple case:

Example part of an incident report document.

Questions and feedback

Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via or the chat box in the right lower corner.


Share article