cism-d4-incident-management-incident-investigation-evaluation-containment-and-

Incident Investigation, Evaluation, Containment, and Communication (IIECC)

isaca-cism · framework · Gold standard

Drawn fromCISM Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Incident Investigation, Evaluation, Containment, and Communication (IIECC)

Incident Investigation, Evaluation, Containment, and Communication (IIECC) is the integrated set of procedures a security organization executes between incident confirmation and the start of eradication and recovery. The four components run concurrently, not sequentially. Investigation collects and preserves digital evidence following chain-of-custody procedures to determine what happened, who did it, and how. Evaluation scores severity and scope using a multi-dimensional matrix — technical, business, and compliance criteria — to drive prioritization. Containment limits damage through three simultaneous modes: short-term (stop active spread), forensic (preserve evidence integrity while isolating), and long-term (prevent recurrence pending full eradication). Communication translates investigation findings and containment decisions into role-appropriate messages for technical teams, executives, legal counsel, customers, regulators, and insurers — often before investigation is complete. IIECC is not the same as eradication (removing threat artifacts) or recovery (restoring operations); those phases depend on IIECC completing with sufficient rigor. Investigation findings continuously re-inform containment scope and communication content throughout the incident window.

Where it stops · what it isn't

—IIECC begins when an incident is confirmed — not merely suspected — and ends when scope is sufficiently bounded to hand off to eradication and recovery teams
—Forensic investigation preserves evidence but does not include remediation or system restoration — those belong to Incident Eradication and Recovery
—Communication covers active incident disclosure to internal and external stakeholders; post-incident lessons-learned communication belongs to the Post-Incident Review phase
—Severity evaluation produces a severity score and scope boundary — it does not produce a root cause statement; root cause is documented in the post-incident review
—Automated containment actions (SOAR playbooks, network segmentation) are in scope when they execute decisions made by this framework; tool selection and playbook engineering belong to Incident Management Operations and Tools
—IIECC does not include proactive threat hunting — it is reactive and triggered by a confirmed or high-confidence incident signal

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Incident Classification and CategorizationAsset Criticality and Data Classification

ENABLES

Incident Eradication and RecoveryPost-Incident Review and Lessons Learned

PART OF

CISM Domain 4: Incident Management

RELATED TO

Incident Management Operations, Tools, and TechnologiesBusiness Impact Analysis and Continuity Planning

CONSTRAINS

Regulatory Breach Notification Compliance (GDPR, HIPAA, SEC, NIS2)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.