The impact of the incident is understood
A declared incident may look small at first and reveal itself to be much larger under investigation. Impact analysis is the discipline of systematically determining what was affected: which systems, which data, which users, and for how long. This analysis drives every downstream decision: what notifications are required, what remediation scope is needed, and whether the organization can continue operating normally while the incident is addressed.
Implementation steps
- 1
Conduct a structured impact assessment at incident declaration
When an incident is declared, immediately begin a structured impact assessment covering: affected systems (by hostname, IP, and function), affected data (type, sensitivity classification, and estimated records count), affected user populations (internal users, customers, partners), service availability impact (which services are degraded or unavailable), and operational impact (can the business continue normal operations). Document findings in the incident ticket as they are discovered.
jirapagerdutyconfluence - 2
Query logs and telemetry to determine compromise scope
Use your SIEM and EDR to scope the compromise: search for lateral movement from the initially identified compromised system, identify all accounts that were authenticated from the affected host, check for data staging or exfiltration activity, and look for persistence mechanisms that may indicate a longer-term foothold. The goal is to determine whether you have found the full scope of the compromise or only the visible tip.
splunkcrowdstrikemicrosoft-sentinelelastic - 3
Map affected data to compliance and notification obligations
Once data impact is understood, map it to regulatory notification requirements: does the affected data include personal information subject to GDPR, CCPA, or HIPAA? Does it include payment card data subject to PCI DSS breach notification? Different data types trigger different notification timelines and recipients. Having a pre-built data classification matrix that maps data types to notification obligations speeds this analysis under pressure.
confluencenotion
Evidence required
Incident impact assessment documentation
Evidence that impact analysis is performed and documented during incident response.
- · Incident tickets showing structured impact assessment sections
- · Post-incident review noting the scope determination process
- · Impact assessment template embedded in incident response runbooks
Data breach notification decision records
Evidence that data impact is mapped to compliance obligations.
- · Data classification policy mapping data types to notification requirements
- · Legal or privacy team consultation records from past incidents
- · Breach notification decision log from a previous incident
Related controls
The estimated impact and scope of adverse events are understood
Adverse Event Analysis
Investigate contributing factors to confirmed incidents
Incident Analysis
Forensics are performed
Incident Analysis
Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Incident Analysis