.png?width=200&height=50&name=cydarm%202024%20logo%20blue%20on%20transparent%201000x250%20(3).png)
Implementing an incident register in Cydarm
This article explains how to configure an incident register in Cydarm
Overview
This guide explains how to configure and use Cydarm to maintain a cybersecurity incident
register that meets ISM-1803 requirements and supports organizational reporting needs.
Setup
1. Configure custom metadata fields
Add the following custom metadata fields to your Cydarm system:
● Incident ID (Text)
● Date of Incident (Date)
● Date of Discovery (Date)
● Actions Taken (Text/Rich Text)
● Reported To Name (Text)
● Reported To Affiliation (Text)
● Reported To Title (Text)
● Reported To Email (Email)
● Reported To Phone (Phone)
Note: The existing case description field on each case can be used for the incident description
requirement.
2. Create incident type tags
Create tags for your incident types, for example:
● incident-type:malware
● incident-type:phishing
● incident-type:data-breach
● incident-type:unauthorised-access
● incident-type:ddos
(Alternatively, agree on an existing tag group for this.)
Create a master tag incident to identify all incident cases, eg. outcome:incident
Recording incidents
When a cybersecurity incident occurs:
1. Add the outcome:incident tag to the case, to mark it as an incident
2. Add appropriate incident type tag(s) (eg. incident-type:phishing)
3. Ensure that the severity level is set
4. Fill in required metadata fields:
- Incident ID (if using custom numbering)
- Date of Incident
- Date of Discovery
- Actions Taken (update as response progresses)
- Reported To fields (all reporting contact details)5. Use the Description field at the top of the case to describe the incident
6. Update case status as the incident progresses (Triage → Analysis → Containment →
Eradication → Restoration -> Review → Closed)
Generating the Incident Register
1. Export full register
1. Navigate to Reports > Case Details Report
2. Apply filters:
- Tag: select outcome:incident
- Date Range: select desired time period
- Organisation: select the organisation you wish to report on
3. (Optional) Click Preview Report to verify data
4. Click Download Report to download the CSV
2. Filter by incident type or severity
To generate reports for specific incident types:
1. Follow steps above, but add additional filters:
- Tag: select incident AND specific type (eg, incident-type:phishing)
- Severity: select specific severity level(s)
3. Common report scenarios
i. Current open incidents:
Filter: Tag = incident, Status ≠ Closed
ii. Closed incidents:
● Filter: Tag = incident, Status = Closed, Date Range = as required
iii. Monthly/quarterly analysis:
● Export data for each period using Date Range filters
● Calculate days to closure using Date of Discovery and Closed Date fields
● Compare incident counts across periods in your preferred analysis tool (Excel, BI tool)
Tips for effective Incident Register Management
● Standardise tagging: Ensure all team members use consistent incident type tags
● Regular updates: Update Actions Taken field as the incident progresses
● Complete before closing: Verify all required fields are populated before closing an
incident case
● Scheduled exports: Set regular reminders to export the incident register for compliance
purposes
● Data validation: Periodically review cases tagged as incident to ensure metadata
completeness
Compliance notes
This implementation satisfies ISM-1803 requirements by capturing:
● Date the incident occurred
● Date the incident was discovered
● Description of the incident
● Actions taken in response
● To whom the incident was reported
Additional fields (Incident ID, Type, Severity) support enhanced tracking and reporting
capabilities.