ISO 20000 Major Incident Report template
What Is Major Incident Report?
Major Incident Report is a process responsible for managing the life cycle of all significant incidents. A major incident is an incident that seriously impacts the business and requires a coordinated response from multiple teams.

Major incident entrancement aims to restore normal regularisation as quickly as possible and minimize the adverse impact on business operations.
To ensure that major incidents are managed effectively, it is essential to have a structured and coordinated approach. This is the role of the primary incident management process.
The primary incident management process coordinates and manages all activities required to restore regular service operations following a significant incident.
The identification of a significant incident triggers the process. Once activated, the process ensures that all activities required to restore regular service operations are coordinated and effective.
The process is comprised of a few activities, which are carried out in a prescribed order. These activities are:
- Incident identification
- Incident classification
- Incident logging
- Incident containment
- Incident diagnosis
- Incident resolution
- Incident recovery
- Incident closure
The primary incident management process is integral to the ISO 20000 standard. Therefore, the standard requires that the process be carried out in a structured.
Major Incident Management Process Essentials
Major Incident Management Process Essentials in ISO 20000 specify the requirements for an organization to plan, implement, operate, monitor, review, and continually improve a significant incident management process. This process aims to manage major incidents to minimize the adverse impact on the business.
To meet the requirements of this standard, an organization must establish and maintain a significant incident management process that includes the following elements:
• Establishing and maintaining a significant incident management capability.
• Planning for central incident management.
• Implementing and operating central incident management.
• Monitoring and review of central incident management.
• Continued improvement of central incident management.
Key Elements included in Major Incident Management in iso 20000 :
Central incident management is a process that helps organizations deal with severe and unexpected incidents. It is a process designed to help organizations restore normal operations as quickly as possible. Central incident management is a vital part of the ISO 20000 standard.
Four key elements need to be included in effective incident management:
1. Identification: This is the first step in central incident management. Organizations need to have a way to identify significant incidents. This can be done through monitoring and event management.
2. Classification: Once a major incident has been identified, it needs to be classified. This helps organizations determine the severity of the incident and the appropriate response.
3. Response: This is the third step in central incident management. Organizations need to have a plan in place for responding to significant incidents. The response should be appropriate to the severity of the incident.
4. Recovery: Recovery is the fourth and most effective significant incident management. This is the process of getting the organization back to normal operations. Recovery plans should be put in place before an incident occurs. This helps minimize the time it takes to get the organization back up and running.
Preparing for Major Incidents :

1. Incident Details
An ISO/IEC 20000-compliant Major Incident Report (MIR) is a document that contains all incident details as required by ISO/IEC 20000. The purpose of the MIR is to provide a complete and accurate record of an incident, its investigation, and resolution for future reference and trend analysis.
The Service Provider should use the MIR to record all relevant details of an incident, including:
- Service Provider's name
- Customer's name
- Incident Reference number
- Reported by
- Incident description
- Business Impact
- Root Cause
- Date and time the incident was logged.
- A brief description of the incident
- Investigation and resolution details
- Details of any monitoring or workaround implemented during the incident.
- Impact of the incident
- Lessons learned.
The Service Provider should use the MIR to record all relevant details of an incident. This helps ensure incidents are appropriately investigated, promptly resolved, and minimized. It also provides a reference for service improvement and trend analysis for future incidents.
2. Incident Date and Time:
In any significant incident report, one of the critical things to include is the incident date and time. This is essential information that can help determine the cause of the incident and how to prevent it from happening again.
When including the incident date and time in a significant incident report, it is essential to be as detailed as possible. This means having the exact date and time that the incident occurred. It is also helpful to have the time zone.
Including this information in a significant incident report can help to create a complete picture of what happened and why. It can also help to improve the response to future incidents. Finally, it can ensure that crucial information is noticed and that preventative measures are taken promptly.
3. Incident Details:
An incident is an unplanned interruption to promised service levels or a reduction in the quality of service. An incident may also be caused by a failure or degradation of a process, procedure, or infrastructure component.
Significant incidents are characterized by their high levels of impact and risk. They require a coordinated response from multiple team members and usually involve substantial changes to normal work processes.
The report should include a detailed description of the incident, the teams involved, the actions taken, and the results achieved. It should also include the details of the lessons learned and suggested process improvements.
4. Escalation:
The purpose of an escalation policy is to ensure that incidents are escalated to the appropriate level of management promptly so that they can be resolved quickly and efficiently.
An escalation policy should be designed to minimize the impact of incidents on the business and its customers. It should also be flexible enough to accommodate the needs of the organization and the teams involved in the incident response.
The following are a few tips to keep in mind when designing an escalation policy for your organization:
- Define the criteria for escalating an incident.
- Identify the incident response teams and their roles and responsibilities.
- Designate a primary and secondary contact for each team.
- Establish communication protocols for incident response.
- Define the criteria for involving external parties in the incident response.
5. Incident Timeline:
The incident timeline should include all relevant information about the incident, such as the time the incident occurred, the impact of the incident, the steps taken to resolve the incident, and the final resolution.
Including the time the incident occurred, the impact of the incident, the steps taken to resolve the incident and the final resolution. It should also include relevant contact information for any stakeholders involved in the incident. Additionally, any relevant metrics, such as restore time and resolution time, should be included in the timeline.
Once the incident timeline has been created, it can be used to analyze the incident to identify weaknesses and areas for improvement. Reviewing the timeline makes it possible to identify potential solutions for preventing future incidents and improving incident resolution times. Additionally, the timeline can be used to track the progress of an incident from start to finish and to identify what changes need to be made to prevent similar incidents from occurring in the future.
6. Root Cause Analysis
Root Cause Analysis aims to identify the underlying causes of an incident so that corrective actions can be taken to prevent future incidents from happening. Therefore, a systematic process should be carried out immediately after an incident.
The steps in Root Cause Analysis are:
- Identify the problem
- Gather data
- Analyze the data
- Identify the root cause
- Develop corrective action
- Implement corrective action
- Monitor the results.
7. Corrective Actions Taken:
The corrective action plan should identify the incident's root cause and take steps to prevent it from happening again.
When a major incident occurs, the service provider must follow the steps in their corrective action plan to resolve and prevent it from happening again. Of course, the steps in the corrective action plan will vary depending on the specific incident. Still, they typically involve identifying the root cause, fixing the issue, and implementing preventive measures.
8. Communication:
The major incident report can be used to communicate information to your customers, employees, and other stakeholders to ensure they are informed and aware of the incident and its implications. This report also enables you to demonstrate your commitment to safety, accountability, and overall operational excellence.