Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Incident Management

When should you register an incident?

That depends on the regulation or framework your organisation is working with. Here are the typical scenarios:

Framework When should you register?
GDPR If there is a breach of personal data security – e.g. unauthorised access, accidental disclosure or data leakage.
NIS2 If the incident affects IT security or business-critical systems.
DORA

If your organisation is subject to DORA, there are specific rules to follow for incident handling. You can create your Incident Management Policy and Procedure under DORA [here].

 

Tip: You may also benefit from logging minor incidents that aren't reportable, simply to maintain your process and ensure everything is documented.

How to handle an incident in ComplyCloud

You’ll find the incident module under "Risk & Security" > "Incidents"

1. Create the incident

Click "Actions" > "Create incident"

In this step, you should: (1) Describe the incident as clearly as possible, (2) Select the affected assets and (3) Add details about the timeline. Click Edit in each field to enter information – and don’t forget to select the incident type.


Note: If you answer Yes to "Did the incident involve a breach of personal data?" and proceed to the next step (via the top-right corner), ComplyCloud will guide you to the "Personal data" section.
Here, you’ll be asked to describe the scope of the incident and what types of personal data were affected.

2. Assess the impact on your organisation

Here you should assess the severity of the incident based on your own evaluation.

Start by assigning a consequence level for each affected asset using the CIA model:

  • Confidentiality: Was data accessed by unauthorised parties?

  • Integrity: Was data wrongly changed, deleted, or corrupted?

  • Availability: Did users lose access to systems or data?

Tip: Once you’ve assessed the consequence level, ComplyCloud will automatically suggest a severity level for the incident as a whole.

If you answered Yes to “Is your organisation subject to NIS2?” in the previous step, an extra column will appear, where you should also assess the impact at societal level.

3. Notifications

In this step, describe whether and how you have communicated the incident, including:

  • Have any data subjects been notified?

  • Have authorities or regulators been notified?

  • Have third parties (e.g. affected IT systems or vendors) been informed?

You can also upload supporting documentation, such as email screenshots or evidence of who was affected.

Note: If you marked your organisation as subject to NIS2, and the incident was assessed as critical, ComplyCloud will prompt you to consider notifying the relevant authorities.

4. Incident handling

In this step, you can: (1)add security controls from ComplyCloud’s security catalogue and provide a general summary of how the incident was handled, to serve as documentation


Once you consider the incident resolved, you should enter a date under “2 Incident resolved”. As soon as you add this date, the incident will automatically be marked as Handled in your overview. All other incidents will remain labelled as Ongoing.
See example below: 

Exporting your incidents

You can export incidents in two places:

  • From an individual incident

  • From the main incident overview

To export, go to "Actions" > "Export"

Note: If you export a single incident, the full incident report will be included in the PDF. If you export from the incident overview, only a summary of each incident will be included.