The documentation associated with an incident takes several forms. The length of any documentation is often dictated by the type of incident. Simple incidents that take very little time to investigate and have a limited impact may be documented informally in an existing ticketing system. In more complex incident investigations, such as a data breach that has led to the disclosure of confidential information (such as medical records or credit card information), may require extensive written reports and supporting evidence.
When looking at documenting an incident, it is not very difficult to ascertain what should be documented. Following the five W's, and sometimes How, is an excellent foundation when considering what to document during an incident. Another good piece of wisdom when discussing documentation, especially when discussing the legal implications of security incidents, is the axiom if you didn't write it down, it didn't happen. This statement...