Close
View this page in your language?
All languages
Choose your language
Products

Featured

Jira Software

Project and issue tracking

Confluence

Content collaboration

Jira Service Management

High-velocity ITSM

Trello

Visual project management

View all products

Marketplace

Connect thousands of apps and integrations for all your Atlassian products

Close dropdown
Solutions

Featured

Work Management

Manage projects and align goals across all teams to achieve deliverables

IT Service Management

Enable dev, IT ops, and business teams to deliver great service at high velocity

Agile & DevOps

Run a world-class agile software organization from discovery to delivery and operations

BY TEAM SIZE

Enterprise

Small Business

Startup

Non-profit

BY TEAM FUNCTION

Software Development

IT

Finance

Marketing

HR

BY INDUSTRY

Retail

Telecommunications

Professional Services

Government

Close dropdown
Resources

Learn

Atlassian University

Atlassian Playbook

Product Documentation

Developer Resources

Support

Atlassian Community

Atlassian Support

Atlassian Migration Program

Enterprise Services

Partner Support

Purchasing & Licensing

Connect

About us

Careers

Work Life Blog

Events

Support for Server products ends February 15, 2024

With end of support for our Server products fast approaching, create a winning plan for your Cloud migration with the Atlassian Migration Program.

Assess my options

Close dropdown
Search
Try now
Toggle menu
Close search

Incident management for high-velocity teams

Get it free
Learn more
Service Request Management
Overview
Best practices for building a service desk
IT metrics and reporting
SLAs: The What, the Why, the How
Why first call resolution matters
Help desk
Service desk vs help desk vs ITSM
How to run IT support the DevOps way
Conversational ticketing
Customize Jira Service Management
Transitioning from email support
Service Catalog
What is a virtual agent
IT Asset Management
Overview
Configuration management databases
Configuration vs Asset Management
IT & Software Asset Management Best Practices
Incident Management
Overview
IT service continuity management
Incident Communication
Templates
Workshop
Incident Response
Best Practices
Incident Commander
Aviation
Roles and responsibilities
Lifecycle
Playbook
On call
On call schedules
On call pay
Alert fatigue
Improving on call
IT alerting
Escalation Policies
Tools
KPIs
Common metrics
Severity levels
Cost of downtime
SLA vs. SLO vs. SLI
Error budget
DevOps
SRE
You built it, you run it
Problem management vs. incident management
ChatOps
ITSM
Major incident management
IT incident management
Modern incident management for IT ops
Disaster recovery plans for IT ops and DevOps pros
Bug tracking best practices
Postmortem
Template
Blameless
Reports
Meeting
Timelines
5 whys
Public vs. private
Tutorials
Incident communication
On call schedule
Automating customer notifications
Handbook
Incident response
Postmortems
Template generator
Glossary
Get the handbook
2020 State of Incident Management
2021 State of Incident Management
Problem Management
Overview
Template
Roles and responsibilities
Process
Change Management
Overview
Best practices
Roles and responsibilities
Change management types
Knowledge Management
Overview
What is a knowledge base
What is knowledge-centered service (KCS)
Self-service knowledge bases
Enterprise Service Management
Overview
HR Service Management and Delivery
HR Automation best practices
Three implementation tips for ESM
ITIL
Overview
DevOps vs ITIL
ITIL Service Strategy Guide
IT Operations
Overview
IT Operations Management
Overview
System Upgrade

The 7 stages of effective incident response

video thumbnail

What is incident response?

Incident response is an organization’s process of reacting to IT threats such as cyberattack, security breach, and server downtime.

Other IT Ops and DevOps teams may refer to the practice as major incident management or simply incident management.

Who handles incident response?

Development, operations, and support teams are all involved in incident response. More broadly, managers of a company’s legal, public relations, or human resources team are also involved.

Incident response includes an organization’s broader strategic handling of an incident. It requires the coordinated oversight of the leadership group, which usually consists of representatives from teams such as the executive board, IT, legal, communications, and HR.

Incident response process

The following sections describe an incident response process, what to do between realizing a service is down and getting it up and running again, based on the material in our own Incident Handbook.

In this article we’ll cover the seven key stages of incident response:

  1. Detect the incident
  2. Set up team communication channels
  3. Assess the impact and apply a severity level
  4. Communicate with customers
  5. Escalate to the right responders
  6. Delegate incident response roles
  7. Resolve the incident
Incident response workflow

Detect the incident

Ideally, monitoring and alerting tools will detect and inform your team about an incident before your customers even notice. Though sometimes you'll first learn about an incident from Twitter or customer support tickets.

No matter how the incident is detected, your first step should be to record that a new incident is open in a tool for tracking incidents. In an incident management solution such as Jira Service Management, alerting and communication is integrated with your tracking tool.

Set up team communication channels

One of the first things the incident manager (IM) does when they come online is set up the incident team's communication channels. The goal at this point is to establish and focus all incident team communications in well-known places, such as: 

  • Chat room in Slack or another messaging service.
  • Video chat in a conferencing app like Zoom (or if you're all in the same place, gather the team in a physical room).

We prefer using both video chat and a text chat tool during incidents, since both excel at different things. Video chat is great for creating a shared mental picture of the incident quickly through group discussion. And Slack helps generate a timestamped record of the incident, along with collected links to screenshots, URLs, and dashboards.

Slack and most other chat tools allow users to set a room topic. The incident manager should use this field for information about the incident and useful links.

Finally, the IM sets their own personal chat status to the issue key of the incident they are managing. This lets their colleagues know that they're busy managing an incident.

Assess the impact and apply a severity level

After the incident team's communication channels are set up, it's time to assess the incident so the team can decide what to tell people about it and who needs to fix it.

We have the following set of questions that IMs ask their teams:

  • What is the impact to customers (internal or external)?
  • What are customers seeing?
  • How many customers are affected (some, all)?
  • When did it start?
  • How many support cases have customers opened?
  • Are there other factors, e.g. Twitter, security, or data loss?

The next step typically is to assign a severity level.

Incident response severity levels

Severity 1
Description: A critical incident with very high impact
Examples:

  • A customer-facing service is for all users
  • Confidentiality or privacy is breached
  • Customer data loss

Severity 2
A major incident with significant impact
Examples:

  • A customer-facing service is unavailable for some, but not all, customers
  • Core functionality is significantly impacted.

Severity 3
A minor incident with low impact
Examples:

  • A minor inconvenience to customers, workaround available.
  • Usable performance degradation.

Using a numbering system for severity levels helps quickly define and communicate the incident. All someone has to say is “we might have a sev 1 happening,” and the right people can immediately understand the seriousness of the matter even before getting additional information.

Severity levels can also help build guidelines for response expectations.

At some companies, for example, severity 3 incidents can be addressed during business hours, while severity 1 and 2 require paging team members for an immediate fix.

Incident severity definitions should be documented and consistent throughout the organization.

Communicate with customers

Once a team establishes that the incident is real, it’s best to communicate to stakeholders internally and externally as soon as possible.

The goal of internal communication is to focus the incident response on one place and reduce confusion.

The goal of external communication is to tell customers the team is aware something's broken and you're looking into it. Communicating quickly and accurately helps build trust with customers and the rest of the organization.

Many teams use Statuspage for incident communications both internally and externally. Here are two simple templates for update an internal or external statuspage:

Internal Statuspage
- -

We are investigating an incident affecting , and . We will provide updates via email and Statuspage shortly.

External Statuspage
Investigating issues with

We are investigating issues with and will provide updates here soon.

Escalate to the right responders

Sometimes the initial responders are the ones who resolve the incident. More often than not, those responders need to bring other teams into the incident by paging them using an alerting tool. With Jira Service Management, responders can take their pick as to what alerting method they use, or even use them all in one central location.

Alerting tools allow teams to define on-call rosters to create a rotation of staff who are expected to be reachable during an incident. This is better than relying on a specific person every time there’s an incident. That same person won't always be available (they take vacations, change jobs, or burn out when you call them too much).

Delegate incident response roles

After a new incident responder is paged and comes online, the incident manager delegates a role to them. As It’s important they understand what's required of their role, and how to contribute to the incident team quickly and effectively.

Another advantage to defining roles is it allows more adaptability and flexibility. As long as a person knows how to perform a certain role, they can take that role for any incident.

Three key incident response roles

Incident manager

Each incident is driven by the incident manager, who has overall responsibility and authority for the incident.

The incident manager has authority to take any action necessary to resolve the incident, including paging anyone in the organization and keeping those involved in an incident focused on restoring service as quickly as possible.

Tech lead

A senior technical responder. The tech lead develops theories about what's broken and why, decides on changes, and runs the technical team. This person works closely with the incident manager.

Communications manager

The person familiar with public communications, possibly from the customer support team or public relations. They are responsible for writing and sending both internal and external communications about the incident.

Resolve the incident

There's no one-size-fits-all process that can resolve every incident. If there were, we'd simply automate that and be done with it. Instead, take inspiration from the scientific method. Iterate on the following process to quickly adapt to a variety of incident response scenarios:

  • Observe what's going on. Share and confirm observations.
  • Develop theories about why it's happening.
  • Develop and execute experiments to prove or disprove your theories.
  • Repeat until the incident is resolved.

An incident is resolved when the current or imminent business impact has ended. At that point, the emergency response process ends and the team transitions onto any cleanup tasks and the postmortem.

We send final internal and external communications when the incident is resolved. The internal communications have a recap of the incident's impact and duration, such as how many support cases were raised and other important incident dimensions. It should also clearly state that the incident is resolved and there will be no further communications about it. The external communications are usually brief, telling customers that service has been restored and the team will follow up with a postmortem.

Conclusion

There are many moving parts to the incident response process. Keeping track of each step with seamless communication is easy with an incident management tool like Jira Service Management. Centralize alerts and unify teams with flexibility to resolve incidents quickly.

Try Jira Service Management free
Tutorial

Setting up an on-call schedule with Opsgenie

In this tutorial, you’ll learn how to set up an on-call schedule, apply override rules, configure on-call notifications, and more, all within Opsgenie.

Read this tutorial
Up next

Incident response best practices and tips

This collection of incident response best practices and tips will help your team avoid mismanaged incidents, unnecessary delays and associated costs.

Read this article
Up Next
Best Practices