Skip to main content

Part of Objective D - Minimising the impact of incidents

Principle D2: Lessons learned

Previous Chapter

Principle D1: Response and recovery planning

Current Chapter

Current chapter – Principle D2: Lessons learned

View all
Page contents

When an incident or near miss occurs, steps are taken to understand its root causes and to ensure appropriate remediating action is taken to protect against future incidents.

D2.a Incident root cause analysis

Description

When an incident or near miss occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. You are not usually able to resolve incidents or near misses to a root cause.

NA#2. You do not have a formal process for investigating causes.

Partially Achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident or near miss.

A#2. Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems or software.

A#3. All relevant incident or near miss data is made available to the analysis team to perform root cause analysis.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF). 

The approach and documentation list described below are a suggestion to the independent assessors, and do not have to be followed stringently.

Suggested approach to testing

1. Incident response lessons learned - Obtain and inspect the incident response process or policy, and assess whether lessons learned exercises and root cause analysis are documented as a key steps in the response process for both incidents and near misses, and responsibilities for those key steps have been clearly assigned (A#1)

2. Incident sampling - Obtain the list of incidents and near miss data that have taken place in the last 12 months. Confirm if all required data on incidents or near misses has been made available for analysis. From that list, choose a sample (see Introduction to CAF Independent Assessment Framework for more information) of incidents and request to see their lessons learned and root cause exercise. (A#1, A#3).

3. Root cause analysis - Assess the methodology in place at the organisation for undertaking root cause exercises, including the ownership and scope of the exercise and the routes to approval of the results. Determine whether the scope of the exercise includes vulnerabilities in the network, systems and software; organisational processes and people processes, and suppliers and suppliers processes. (A#2)  

4. Methodology - Determine whether the methodology includes best practice examples of the type of data to be used during root cause analysis of common incidents and near misses, and enquire of the process to get access to that data by a member of staff. Verify that the lessons learned activities for the incidents you have sampled were completed following the correct methodology, as assessed during step 3 (A#2)

Suggested documentation

Suggested documentation should include:

  • evidence of lessons learned being documented as part of incident management processes
  • list of incidents and near misses from the past 12 months or incident review logs
  • documented lessons learned and root cause analysis activities 
  • evidence of methodology and considerations for undertaking root cause exercises

D2.b Using incidents and near misses to drive improvements

Description

Your organisation uses lessons learned from incidents and near misses to improve your security measures.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Following incidents and near misses, lessons learned are not captured or are limited in scope.

NA#2. Improvements arising from lessons learned following an incident or near miss are not implemented or not given sufficient organisational priority.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. You have a documented incident review process/policy which ensures that lessons learned from each incident or near miss are identified, captured, and acted upon.

A#2. Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of networks and information systems.

A#3. You use lessons learned to improve security measures, including updating and retesting response plans when necessary.

A#4. Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.

A#5. Analysis is fed to senior management and incorporated into risk management and continuous improvement.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF). 

The approach and documentation list described below are a suggestion to the independent assessors, and do not have to be followed stringently.

Suggested approach to testing

1. Incident review process or policy - Obtain the incident review process or policy, and assess whether the document contains:

  1. A requirement for lessons learned to be undertaken for near misses as well as incidents. (A#1)
  2. Assigned responsibilities for capturing lessons learned, updating relevant processes and documentation, and disseminating the learning throughout the organisation. (A#1)
  3. A documented authority to review the outputs of lessons learned exercises and direct the improvements in security measures (A#3).
  4. A clearly defined prioritisation process for the identified security improvements, including ownership for implementing changes and the process for approval of changes. (A#4)
  5. The escalation process and reporting lines to senior management. (A#5)  

2. Lessons learned activities - Assess whether the scope of the lessons learned activities include a review of reporting, roles, governance, skills and organisational processes as well as technical aspects of networks and information systems (A#2).

3. Incident sampling - Obtain the list of incidents that have taken place in the last 12 months. From that list, choose a sample (see Introduction to CAF Independent Assessment Framework for more information on sampling) and request to see the respective lessons learned exercise. Verify that:

  1. The scope of the samples matches the expected scope as per the incident review process/policy, as assessed during step 2. (A#2)
  2. The findings of the samples have been documented, with remediation actions designed and their implementation assigned to a named owner with adequate timelines. (A#3)

4. Re-testing - Enquire of any plans to re-test the response plans with the updated security measures, where necessary and obtain evidence that this test is being designed (A#3).

5. Mitigating actions - Obtain and inspect documentation showing the progress that has been made on the implementation of mitigation actions. This may include updates to policies and process documentation, but also technical changes to security systems as required (A#4).

6. Approval of mitigating actions - Obtain and inspect the Terms of reference and minutes of the responsible group(s) to verify that outputs of the lessons learned exercises are being discussed, reviewed and approved by the responsible group(s). The remediation actions should be prioritised and approved by a relevant authority, with a named owner and adequate timelines put in place (A#1).

7. Incorporating into risk management and continuous improvement - Obtain examples of where lessons learned exercise and root cause analysis from incidents and near misses have been incorporated into risk management and continuous improvement. (A#5)

Suggested documentation

Suggested documentation includes:

  • incident review process/policy
  • documented lessons learned and root cause analysis activities 
  • evidence of methodology and considerations for undertaking root cause exercises 
  • list of incidents from the last 12 months
  • evidence of actions take following lessons learned activities 
  • evidence of planning to re-test response plans or evidence that re-testing has occurred 
  • evidence of policies, processes and systems being updated following lessons learned activities 
  • terms of reference and minutes of relevant groups 
  • evidence of risk management processes being updated following lessons learned activities

Last edited: 2 January 2025 9:08 am

Chapters

  1. Objective D - Minimising the impact of incidents
  2. Principle D1: Response and recovery planning
  3. Principle D2: Lessons learned