NIST 800-53 REV 5 • INCIDENT RESPONSE
IR-5 — Incident Monitoring
Track and document incidents.
Supplemental Guidance
Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring.
Practitioner Notes
You need to track and document every security incident — when it happened, what was affected, who responded, and what the outcome was. This creates an organizational memory that helps you improve over time and prove due diligence to auditors.
Example 1: Use a ticketing system like Jira Service Management, ServiceNow, or even a dedicated SharePoint list to log all incidents. Require fields for date/time, type, severity, affected systems, responder, actions taken, and resolution. Run monthly reports to track trends.
Example 2: Configure your SIEM (Splunk, Microsoft Sentinel) to automatically create incident records when alerts exceed a severity threshold. Build a dashboard that shows open incidents, average resolution time, and incident volume by category over the past 12 months.