NIST RS.CO-2: Incident Reporting
Incident reporting is the backbone of effective cybersecurity response. RS.CO-2 requires your organization to establish clear criteria for what constitutes a reportable incident and ensure consistent, timely reporting across all teams. Without standardized processes, critical incidents slip through cracks and response times suffer.
What this means
This control requires you to define explicit incident reporting criteria and ensure all incidents meeting those criteria are reported through established channels. It's not just about detecting threats—it's about creating a structured process that captures incidents consistently, regardless of who discovers them or where in your organization they occur. Your criteria should clarify severity levels, types of events that trigger reporting, and required timeline windows.
How to comply
- 1.Document incident classification criteria including severity levels (critical, high, medium, low) and event types that require reporting
- 2.Define reporting channels and escalation paths for different incident types and severity levels
- 3.Establish mandatory reporting timelines (e.g., critical incidents within 1 hour, high within 4 hours)
- 4.Create incident report templates that capture essential details: what, when, where, who, impact assessment, and initial response actions
- 5.Train all employees on incident reporting requirements and make the process accessible (email, hotline, portal, verbal)
- 6.Implement a centralized incident logging system to track all reported incidents and their status
- 7.Review and test incident reporting processes quarterly to ensure consistent application across departments
- 8.Document metrics on incident reporting velocity and completeness to identify process gaps
Evidence auditors look for
- Written incident reporting policy defining reportable event criteria and severity classifications
- Incident report template or form used to document incidents consistently
- Logs showing reported incidents with timestamps, severity levels, and reporter information
- Training records demonstrating employee awareness of incident reporting requirements
- Escalation procedure documentation showing routing for different incident types
- Metrics dashboard or reports showing incident reporting trends and response times
- Incident response playbooks that reference the criteria defined in RS.CO-2
- Audit trail of incident reports over a 12-month period showing consistent use of criteria
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates incident reporting workflows by centralizing detection criteria, standardizing report templates, and auto-logging alerts from your security tools—eliminating manual spreadsheets and ensuring no incident falls through the cracks.
See how GRCWatch handles this control automatically
Start free trial