Skip to main content

What do you think of this service? Your feedback will help us to improve it.

Author: Government Security Guidance

Principle: D2 Lessons Learned

When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.

Incidents represent opportunities to improve your overall cyber resilience as part of lessons learned. It is important that organisations understand why the incident happened and, where appropriate, take steps to prevent the issue from recurring. The aim should be to address the root causes or to identify systemic problems, rather than to fix a very narrow issue. For example, to address the organisation’s overall patch management process, rather than to just apply a single missing patch.

Policy

The following requirements are placed on government departments:

  1. Government Organisations shall meet the Cyber Assessment Framework (CAF) requirements of the relevant Government Profile under this principle.

Guidance

  1. The 10 Steps: Incident Management section emphasises the need for post-incident lessons learned exercises to drive organisational improvements. The Safety 2 approach is referenced, highlighting the need to not only focus on what went wrong but also look for successful elements of the incident response and examine why it worked well.
  2. An organisation’s security culture is vital when looking at learning lessons from incidents. You shape security contains useful guidance on how organisations can build and maintain dialogues with staff, ensuring both that multiple perspectives on incidents are properly captured and that the lessons are learned and implemented effectively.

Further information

  1. It is important to be aware that some organisations may use NIST’s Computer Security Incident Handling Guide which is detailed guidance on incident response, covered in principles D1 and D2.

Further guidance and information can be found on the NCSC’s CAF Guidance webpage.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now