Template: Lessons Learned Protocol
Instructions
Structured post-event review for security incidents, DR tests or audits. Outcomes feed into the effectiveness review under §30(2) No. 6 BSIG.
Master Data
| Field | Value |
|---|---|
| Protocol ID | LL-YYYY-XXX |
| Trigger type | [ ] Security incident [ ] DR test [ ] Audit finding [ ] Exercise |
| Trigger reference | [INC-ID / DR-ID / Audit-ID] |
| Review date | |
| Facilitator | |
| Participants |
What Went Well
| Aspect | Description | Retain as |
|---|---|---|
| [Standard process / Best practice] |
What Went Wrong
| Aspect | Description | Impact |
|---|---|---|
| [Low / Medium / High / Critical] |
Root Cause Analysis
| Symptom | Direct cause | Underlying cause (5-Why) | Category |
|---|---|---|---|
| [People / Process / Technology / Supplier] |
Actions
| Action | Type | Owner | Target date | §30 reference | Status |
|---|---|---|---|---|---|
| [Immediate / Medium / Long-term] | [No.] | [Open / In progress / Done] |
Effectiveness Verification
| Action | How is effectiveness verified? | Verification date | Outcome |
|---|---|---|---|
Updates to Existing Documents
| Document | Change required | Owner |
|---|---|---|
| Risk register | ||
| Incident response plan | ||
| BCM plan | ||
| Training content | ||
| Other |
Escalation to Management
| What finding? | To whom? | When? |
|---|---|---|
| Critical action | Management | Within 5 working days |
| Recurring failure | Management | In the next quarterly report |
Approval
| Name | Date | |
|---|---|---|
| Protocol prepared by | ||
| Reviewed by (CISO) | ||
| Acknowledged by (Management) |
Notes
- Action follow-up is tracked in the risk register
- Action status is reviewed monthly
- Retention period: at least 3 years
- For criminally relevant findings: involve legal department immediately