- ITIL incident management is a structured process — not just a ticket queue. Incident, Problem and Change are three distinct practices that must link together.
- NIS2 requires significant incident notification within 24 hours and a full report within 72 hours. Most teams cannot produce this from email chains.
- Audit-ready evidence means: structured record, immutable timeline, linked root cause, documented actions and named owners. A Slack thread has none of this.
- A post-incident review (PIR) is not optional — it is the document regulators will ask for first.
Related HubSecure buying path
Secure Client Portal guidesecure client portalRooms moduleGoogle Workspace comparisonsecure client portal guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
Why "we handled it" is no longer enough
Ten years ago, a fast resolution was proof enough of a capable IT team. Today, regulated businesses — financial services, legal, healthcare, critical infrastructure — operate in an environment where proof of process matters as much as the outcome.
NIS2, DORA, ISO 27001 and SOC 2 all require the same thing: not that incidents were resolved, but that they were managed in a structured, documented way, that root causes were identified, that the right people were notified at the right time, and that action items were tracked to completion.
The practical problem: most IT teams are resolving incidents in Slack channels, updating each other in group chats, and closing tickets in tools that don't capture the why. When an auditor or regulator asks for the incident timeline six months later, someone has to spend days reconstructing what happened from message history — if they can access it at all.
The NIS2 clock starts ticking the moment you become aware of a significant incident — not when you feel ready to report it. You have 24 hours for an early warning, 72 hours for a full notification to your competent authority, and one month for a final report. If your incident records live in Slack, you will breach this timeline.
ITIL incident management: the three practices that must work together
ITIL 4 separates incident management into three distinct practices. Many teams conflate them — which is why their records don't hold up under scrutiny.
Incident Management
The goal is to restore normal service operation as quickly as possible and minimise the impact on the business. Every incident needs: a unique reference, a priority (P1–P4), an owner, a timeline of actions taken, and a resolution record. The resolution is not the end — it is the start of the problem management process.
Problem Management
A problem is the underlying cause of one or more incidents. Problem management is concerned with reducing the likelihood and impact of incidents by identifying root causes and initiating actions to prevent recurrence. Without it, the same incidents reappear — and regulators notice patterns.
Change Management
Most significant incidents are caused by or correlated with changes. Change management requires that every change to a production system goes through a documented approval workflow, includes a risk assessment and rollback plan, and is linked in the CMDB. When an incident follows a change, the link must be visible in the record — not reconstructed from memory.
| Practice | Primary goal | Output | What regulators check |
|---|---|---|---|
| Incident Management | Restore service fast | Resolved incident record + timeline | Response time, SLA adherence, notifications sent |
| Problem Management | Eliminate root cause | Root cause analysis, known error record | Root cause documented, recurrence prevented |
| Change Management | Reduce change-related risk | Change record with approvals and rollback | Approval chain, risk assessment, link to incidents |
NIS2 incident reporting: what the 72-hour window actually requires
NIS2 applies to essential and important entities across 18 sectors — including banking, financial market infrastructure, digital infrastructure, managed services, and professional services that handle critical systems. If your firm is in scope, the 72-hour notification requirement is not a guideline.
- Hour 0 — Awareness The clock starts when your team first becomes aware that a significant incident may have occurred. "We weren't sure it was significant" is not a valid reason for delay — early warning obligations apply even under uncertainty.
- Within 24 hours — Early Warning Notify your national competent authority. The early warning must state: (1) that an incident has occurred, (2) whether it was caused by unlawful or malicious acts, and (3) whether it has cross-border impact. You do not need the full picture — but you need a structured record that this notification was sent.
- Within 72 hours — Incident Notification A full notification with: initial assessment of the incident including severity and impact, likely cause or causes (if known), applied and ongoing mitigation measures, and cross-border impact if applicable.
- Within 1 month — Final Report A detailed description of the incident, the type of threat involved, root cause, mitigation measures applied, and any cross-border impact. This is the document your competent authority will scrutinise most closely — and the one that must align with your internal PIR.
The practical implication: your incident management tool must be able to produce an exportable, timestamped record of every action, notification and decision — structured well enough that you can fill in a regulatory template without starting from scratch.
What audit-ready incident evidence actually looks like
Regulators and ISO 27001 auditors are asking a specific set of questions when they review incident records. Most IT tools — and certainly Slack — cannot answer them.
| Evidence requirement | Slack + email | Ticketing tool only | Structured incident platform |
|---|---|---|---|
| Unique incident reference | ✗ No | ✓ Yes | ✓ Yes |
| Immutable, timestamped timeline | ✗ No | ~ Partial | ✓ Yes |
| Priority classification with rationale | ✗ No | ~ Sometimes | ✓ Yes |
| Named owner and escalation chain | ✗ No | ~ Partial | ✓ Yes |
| Linked root cause (Problem record) | ✗ No | ✗ Usually no | ✓ Yes |
| Linked change record (if applicable) | ✗ No | ✗ No | ✓ Yes |
| SLA tracking with breach alerts | ✗ No | ~ Depends on tool | ✓ Yes |
| Post-incident review with action items | ✗ No | ✗ No | ✓ Yes |
| Exportable for regulator submission | ✗ No | ~ Limited | ✓ Yes |
The post-incident review (PIR): the document regulators ask for first
A post-incident review is a structured analysis completed after every significant incident. Its purpose is not blame — it is evidence that your team understood what happened, why it happened, and what has been done to prevent recurrence.
A NIS2-aligned PIR should capture the following sections:
- Incident summary: Reference, dates, affected systems, severity classification
- Timeline: Chronological record of detection, triage, escalation, mitigation and resolution — with timestamps and named actors
- Root cause analysis: Immediate cause, contributing factors, underlying systemic cause
- Impact assessment: Services affected, number of users impacted, data exposure (if any), financial or operational impact
- Regulatory notifications: Who was notified, when, what was communicated — with evidence of the notifications sent
- Remediation actions: Each action item, assigned owner, due date, completion status
- Lessons learned: Process or tooling changes to prevent recurrence
The most common PIR failure is not the format — it is that action items are listed but never tracked. A regulator reviewing your PIR from last year will ask: "Show me the completion status of the five remediation actions listed here." If you cannot answer, the PIR becomes evidence of inaction rather than governance.
On-call management: the problem that causes breaches before the incident starts
Many SLA breaches happen not because incidents are mishandled — but because the right person was not reached fast enough. On-call management is often the weakest link in an otherwise structured incident process.
Common failure patterns: escalation paths exist in a document nobody can find at 2am; on-call rotas are maintained in a spreadsheet that doesn't integrate with the alerting system; the wrong person gets paged; escalation to the next tier requires a phone call to someone who may or may not answer.
Structured on-call management requires: a defined rotation, automated escalation rules tied to incident priority, integration between the alerting system and the incident record, and a fallback chain that activates automatically when a responder does not acknowledge within the SLA window.
CMDB: the infrastructure record that makes everything else possible
A Configuration Management Database (CMDB) is the authoritative record of what your infrastructure consists of — servers, services, applications, dependencies, and the relationships between them. Without it, every incident begins with 20 minutes of "which systems are affected?" and every change carries unknown blast radius.
For NIS2 and ISO 27001, the CMDB is also evidence. Auditors expect to see that you know what assets you have, what their criticality is, and how they relate to each other. An up-to-date CMDB is not optional — it is a prerequisite for meaningful risk management.
What to look for in incident management tooling
When evaluating tools for structured incident management in a regulated environment, the checklist should include:
- Full ITIL practice coverage — Incident, Problem, Change and CMDB must be linked, not separate modules
- Immutable audit log — every action, status change and field update recorded with actor and timestamp, not editable after the fact
- SLA configuration per priority — response and resolution SLAs with automated escalation when breaches approach
- Structured PIR templates — not a free-text notes field, but a guided template that captures all required sections
- NIS2-exportable reports — the ability to export a structured incident record in a format suitable for regulatory submission
- On-call scheduling with auto-escalation — rotation management integrated with incident alerting, not a separate system
- Role-based access control — different access levels for responders, managers, and read-only stakeholders
- Integration with team communications — encrypted incident channels that are linked to the incident record, not a separate Slack thread that disappears
ITIL incident management built for regulated businesses
HubSecure Incident Management covers Incident, Problem, Change, CMDB, SLA, On-Call and PIR — with a full audit trail and NIS2-ready export. Book a demo to see it in action.
Book a demo → Incident Management moduleWhat is the difference between an incident and a problem in ITIL?
An incident is an unplanned interruption to or reduction in the quality of a service. A problem is the cause of one or more incidents. Incident management focuses on restoring service quickly; problem management focuses on finding and eliminating the root cause to prevent future incidents. They are linked — every significant incident should trigger a problem record — but they have different owners and different timelines.
Does ITIL incident management apply to small IT teams?
Yes — ITIL is a framework, not a bureaucracy. For small teams, the key practices are simple: every incident gets a record with a priority, an owner and a resolution note. Root causes are documented. Changes go through a lightweight approval step. The structured habit is more important than the tool — but the tool must be able to produce the evidence when regulators ask for it.
How does NIS2 define a "significant incident"?
NIS2 defines a significant incident as one that has caused or is capable of causing severe operational disruption, financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. In practice: any incident affecting critical systems, causing service unavailability, or involving data exposure is likely to meet the threshold. When in doubt, notify — late notification carries greater penalty than an early warning that turns out to be unnecessary.
Can we use Jira or ServiceNow for ITIL incident management?
Both tools can be configured for ITIL processes, but they require significant customisation to produce the structured evidence records that NIS2 and ISO 27001 auditors expect. The most common gaps are: no native PIR template, no automatic SLA escalation linked to on-call, and no built-in NIS2-format export. Purpose-built incident management platforms handle these out of the box.
Related reading:
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.