Incident Management
The process of detecting, triaging, resolving, and reviewing service incidents within agreed SLAs.
Definition
Incident management is the process of detecting, triaging, resolving, and reviewing service incidents within agreed SLAs. Incidents are unplanned events that disrupt or could disrupt service: outages, performance degradation, security breaches, data quality issues, customer-impacting errors. Effective incident management requires clear severity definitions, defined response and resolution targets per severity, structured communication during incidents, and post-incident review to prevent recurrence. ITIL is the most widely-adopted framework; many public sector contracts reference ITIL processes by default.
How it works in practice
Standard severity levels are P1 (critical, service down), P2 (high, major function impaired), P3 (medium, minor function affected), P4 (low, no immediate impact). Each severity has defined response and resolution targets: P1 typically 15-minute response and 4-hour resolution; P4 typically 4-hour response and 5-day resolution. The major frameworks divide the lifecycle into: detection (monitoring, alerts, customer report); triage (severity assessment, ownership assignment); investigation and resolution (root cause analysis, fix deployment); communication (status updates to affected stakeholders); post-incident review (what happened, why, what we changed). Major incidents (P1, especially security incidents) require structured communication: incident commander, war room, regular status updates to the customer and senior management, formal incident report. Public sector contracts typically require incident notification to the buyer within defined windows for major incidents (15 minutes for P1; 1 hour for P2; 4 hours for security incidents). Security incidents have additional requirements under GDPR (data breach notification within 72 hours to the ICO if personal data is affected) and sector-specific frameworks (the NIS Regulations for critical infrastructure). Strong incident management is investment-intensive: 24x7 cover, monitoring tooling, incident response training, post-incident discipline. Most public sector contracts cost incident management as part of ongoing service price; spikes during major incidents are usually absorbed by the supplier within the contract envelope.
Common questions
How quickly must I notify the buyer of an incident?
Defined in the contract. Typical thresholds: P1 within 15 minutes, P2 within 1 hour, P3 within 4 hours, P4 next business day. Security incidents (especially data breaches) typically require notification within 1 hour even if the technical severity is lower. Check the contract; under-notification can be a breach in itself.
What is a major incident review?
A formal post-incident review for P1 incidents (and significant P2s). Covers what happened, when, why, what was done in response, what worked well, what failed, and what changes will prevent recurrence. The review output is shared with the customer and tracked through the contract management forum. Repeat root causes are a signal of structural issues requiring change control.
How do security incidents differ from operational incidents?
Security incidents have additional notification requirements under GDPR (data breach to ICO within 72 hours if personal data affected) and sector-specific frameworks. They typically require involvement of the security team rather than just operations, may trigger forensic investigation rather than rapid fix, and have higher communication discipline (limited disclosure of details while investigation is underway).