5 Steps of the Incident Management Lifecycle

The IT Infrastructure Library (ITIL) developed and released a series of agile incident management processes in the ITIL version 4. This most recent version discusses the 5 steps you should be following throughout an incident management lifecycle:

1. Incident identification
2. Incident logging
3. Incident categorization
4. Incident prioritization
5. Incident response

Overall, incident management is the process of addressing IT service disruptions and restoring the services according to established service level agreements (SLAs). What starts with a user reporting an issue should ideally end with the service desk fixing the issue as fast as possible.

Here’s what you need to know about the incident lifecycle. 

 

Step 1—Incident Identification 

The initial step for any incident management lifecycle is identification. 

This starts with an end user, IT specialist, or automated monitoring system reporting an interruption. The alert can come via in-person notification, automated system notice, email, SMS, or phone call. 

When an incident is reported, the help desk must document the incident and identify whether or not it’s an incident or service request, which are two distinctly different concerns:

• Incident – According to ITIL 4 an incident is “An unplanned interruption to an IT service or reduction in the quality of an IT service. Failure of a configuration item that has not yet affected service is also an incident – for example, failure of one disk from a mirror set.”

Most incidents are break or fix issues. Examples include: 

• • A computer or personal device won’t start up
  • Hardware is not functioning
  • Software needs to be installed or updated
  • Error message when trying to launch an application

 Service request – According to ITIL 4, a service request is, “A formal request from a user for something to be provided – for example, a request for information or advice; to reset a password; or to install a workstation for a new user. Service requests are managed by the request fulfilment process, usually in conjunction with the service desk. Service requests may be linked to a request for change as part of fulfilling the request.”

Since these formal requests can be scheduled and follow predefined processes, they’re not nearly as urgent as an incident. Examples include:

• • Creating an account for a new employee/user
  • Requesting upgraded hardware
  • Needing to change a password 

It’s best if an incident can be identified early on through automatic monitoring. When that happens, the problem can be resolved before it has an impact on users. However, there will inevitably be times when the service desk is only made aware of the incident by the impacted user.  

Once the incident has been identified, the service team can move to the next step in the incident lifecycle ITIL. 

 

Assess your Incident Management plan

 

Step 2—Incident Logging 

After the team has been notified about the incident, it’s crucial that they record and document it. 

Thorough reporting helps your organization notice incident trends that may morph into larger problems. It also gives your team better visibility over their workflow, allowing them to delegate their resources where they’re needed most.   

Every incident must be reported – big and small – and logged as a ticket. Tickets need to contain the following information: 

• User name 
• User contact information
• Date and time of the report
• Description of the incident

When it comes to incident logging, the more details you can include, the better. 

Rigorous data collection empowers your service team to find patterns and seek out the root causes for incidents that crop up repeatedly. Armed with this information, the team can either templatize responses for common issues or use automated programs to help streamline resolution processes. 

 

Download Our Incident Response Whitepaper

---

 

Step 3—Incident Categorization 

Incident categorization requires the service team to assign a category and at least one sub category to any incident. 

This is done for three critical reasons:

1. It helps the service desk sort and model incidents according to their categories and subcategories.
2. It makes it possible to automatically prioritize some of the issues. 
3. Provides accurate incident tracking.

By assigning appropriate categories, it becomes easier for the help desk to assign, escalate, and then monitor incident trends and frequencies. When done correctly, it streamlines incident logging, prevents redundancy, and quickens the entire resolution process. 

Categorization utilizes a hierarchical structure with multiple levels of classification—usually with three to four levels of granularity. But since all organizations are unique, classification must be conducted internally, especially at lower levels. If you need help with yours, HCI recommends taking the following steps: 

• Hold a brainstorming session among the relevant support groups
• Use this session to decide the ‘best guess’ top-level categories and include an ‘other’ category. Create relevant logging tools to use these new categories.
• Conduct a trial period that allows several hundreds incidents to fill up each category. 
• Perform an analysis of incidents. The number of incidents logged per category will inform you as to whether or not they’re worth having.
• Breakdown each incident within higher-level categories to decide if lower-level categories are necessary. 
• Review the results and repeat the activities for a few more months to ensure that your results are accurate and repeatable. 

By categorizing incidents you can extrapolate on which trends require training or problem management. 

 

Step 4—Incident Prioritization

After incidents have been assigned their proper category, the next important task is to prioritize them according to urgency and impact on the users and the business. Urgency is how quickly a resolution needs to happen, whereas impact is the potential damage an incident could cause.  

Incidents are typically designated one of three priority statuses: 

1. Low-priority incidents – Do not interrupt users or the business and can generally be worked around. Service to customers and users continues. 
2. Medium-priority incidents – Impact some employees and can moderately disrupt work. Customers may be slightly inconvenienced by the incident. 
3. High-priority incidents – Affect a significant number of users or customers, interrupt the business, and have a noticeable impact on service delivery. Such incidents will almost always cause a financial toll. 

Since your help desk’s resources and time is limited, the higher the assigned priority, the quicker the team must respond to the incident. The system ensures that IT teams aren’t focusing on low-level incidents while much larger ones are wreaking havoc on your employees or customers. 

Step 5—Incident Response  

After an incident has been identified, logged, categorized, and prioritized, the service desk can get to work on resolution. Incident resolution has sub steps to follow, including:

• Initial diagnosis – User details the problem and undergoes troubleshooting with the service agent.
• Incident escalation – If the incident requires advanced support, it can be forwarded to certified support staff or on-site technicians. Most incidents should be able to be resolved by the initial service agent. 
• Investigation and diagnosis – Once the initial incident hypothesis is confirmed, staff can then apply a solution or workaround.  
• Resolution and recovery – The service desk confirms that the user’s service has been restored to agreed upon SLA level.
• Incident closure – The incident is closed and no further work is required. 

 

RSI Security: Incident Management Lifecycle Experts

From initial reporting to final resolution the incident management lifecycle entails 5 critical steps:

1. Incident identification
2. Incident logging
3. Incident categorization
4. Incident prioritization
5. Incident response

At their best IT incidents can be a minor annoyance. But at their worst they can jeopardize your entire business. Should an incident occur, you’ll require an expert partner to guide you through the expanded incident lifecycle. 

RSI Security can be your incident management partner through every step of the journey. We’ll work alongside you to ensure that all incident management program best practices are being applied and followed from day one. 

Ready to get started? So are we. 

 

---

Learn how RSI Security can help your organization. Request a Free Consultation

---