GRCWatch
Sign inStart free trial

CIS Control 17.3: Establish and Maintain an Enterprise Incident Reporting Process

A structured incident reporting process is your organization's first line of defense in responding to security breaches. CIS Control 17.3 requires you to formalize how employees report incidents—defining who they report to, how quickly, and what information must be included. Without it, critical security events slip through the cracks.

What this means

This control requires you to create and document a formal incident reporting workflow that every team member can access and understand. The process must specify: the timeframe for reporting (e.g., immediate or within 24 hours), which personnel or departments receive reports, the reporting mechanism (email, ticketing system, hotline), and the minimum data that must accompany each report (affected systems, date/time, impact estimate). This process should be transparent, easily accessible to your entire workforce, and reviewed at least annually to ensure it remains effective.

How to comply

  1. 1.Define your incident reporting timeframe—establish whether incidents must be reported immediately, within 24 hours, or another window that matches your risk tolerance
  2. 2.Designate incident report recipients—identify specific roles (CISO, security team, IT help desk) and provide their contact information
  3. 3.Choose a reporting mechanism—decide whether reports go via email, dedicated ticketing system, anonymous hotline, web form, or a combination
  4. 4.Set minimum reporting requirements—specify what data must be included (affected systems, user account, date/time, incident description, suspected root cause, potential impact)
  5. 5.Publish the process—make the incident reporting procedure available in employee handbooks, intranets, onboarding materials, and security policies
  6. 6.Train your workforce—conduct annual training so all employees understand the process and their role in incident reporting
  7. 7.Review annually—audit the process each year to verify it's current, accessible, and effective at capturing incidents

Evidence auditors look for

  • Documented incident reporting policy that includes timeframes, contact information, and reporting methods
  • Incident report template or form showing minimum required data fields
  • Evidence of workforce communication (email, training slides, policy acknowledgment forms)
  • Ticketing system or incident tracking logs showing reports were submitted and processed
  • Annual review documentation with sign-off from security leadership
  • Screenshots of incident reporting guidance posted on internal wiki or employee portal
  • Training attendance records or completion certificates from annual incident reporting training

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates incident report tracking and centralizes all submissions in a compliant audit trail, so you can demonstrate annual reviews and workforce accessibility without manual spreadsheets.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 17.1: Designate Security Awareness Roles and ResponsibilitiesCIS Control 17.2: Deliver Comprehensive Security Awareness ProgramCIS Control 17.4: Measure Incident Response MetricsCIS Control 18.1: Authorize and Approve Formally Documented Incident Response Plan