8. Explain what is meant by incident post mortem (AC 3.1)

An Incident Post Mortem (IPM) also known as a Lessons Learned is a document used to discuss any major incident your organisation may have faced. It aims to provide an overview of the incident, it examines its implication for the organisation's operations, future infrastructure, risk assessment and overall lessons learned. This document may be written with the intention of publishing it to the general public to shed some light on an attack and to share the experience from the organisation's point of view. Although this isn't very common as most organisation don't like publicly admitting their weaknesses in the cyber security.

An IPM can also be a formal discussion shortly after the incident. The purpose of either the written document or the discussion is a way of learning more and getting ready for the next incident. It's blame-free space where people are invited to talk openly about what went right, what went wrong, and what can be improved for next time, without fearing that they will loose their jobs or face other sanctions. A post-mortem meeting is also a great place to think about the incident in depth as the emergency is over now.

A large number of organisation prefer to a call Post-Mortem a Lessons Learned as it sounds less ominous and less serious. An extensive Google search revealed far more 'incident lessons learned.pdf' than any 'incident post-mortem.pdf'.

Most organisation will designate a person to coordinate all the 'after incident' activities. Their job will be to liaise with everyone who will contribute, organise meetings, oversee the administrative part of it all and to make sure everyone has done their part.