Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Perform a questionnaire-based post incident review

Log in to subscribe to topics and get notified when content changes.

Perform a questionnaire-based post incident review

You may decide that a post incident review of the security incident is warranted. A post incident review describes what happened, helps to determine why the incident occurred, and identifies how it can be avoided or handled in the future.

Before you begin

Role required: sn_si.admin, sn_si.manager, sn_si.analyst
Note: Any user can participate in a post incident review questionnaire, regardless of role. Roles can be assigned to a review.

About this task

The ServiceNow Security Incident Response application can automate the collection of post incident review information from everyone involved with a security incident by using questionnaires. If you decide to use a questionnaire as part of a post incident review, a list of questions, relevant to the security incident, is sent to the user-defined list of participants. As each user completes the questionnaire, the post incident report is automatically generated. The report compiles all the information related to the security incident, as well as all responses to the post incident review.

While an initial list of questions is provided with the base system, they are customizable. You can create categories and add new questions to them, or you can change individual questions within existing categories. You can ask questions based on roles. You can define when certain questions are asked. There can be questions you ask only for your UNIX servers, for example, or only when there is criminal activity. You can define questions that are asked depending on the answer to another question or on the value in a field on the form. There can even be questions that are filled in entirely by querying the database.

To start a post incident review:


  1. Create a security incident, or open an existing one by navigating to Security Incident > Incidents > Assigned to Me (or Assigned to Team or Unassigned Incidents).
  2. Click the Post Incident Review tab.
  3. The Request assessments field defaults to the individual in the Assigned to field. Click the lock icon to add other users to the review list. After the field is unlocked, options are available for adding or removing multiple users, roles, or entering user email addresses.
  4. When you have completed your entries, click the lock icon to lock the field.
    Note: You can also define conditions which, when met in a security incident, can cause specific users to be automatically added to the Request assessments field for that security incident. For example, when a security incident Category is changed to Phishing, specific individuals who have expertise in phishing threats can be added to the post incident review list. For more information, see Create post incident review assignment rules.
  5. Click Update.
    When the incident goes into the Review state (or immediately, if it is already in the Review state), each of the users in the review list receives an initial email notification. Reminders are sent as the due date nears. When each user accesses the questionnaire from the email link or by going to Post Incident Review > My Pending Reviews, the questions shown are drawn from all categories that fit this security incident. If new users are added to the review list before the due date is reached, they are sent notifications when the security incident is saved.
  6. As users complete their questionnaires, the post incident report compiles the data and displays the report in the Post Incident Review tab. The questionnaire data is displayed in the Findings tab.