WorkflowGLOBALNIST SP 800-61 Rev. 3

NIST SP 800-61 Rev. 3 Post-Incident Evidence Log Workflow

A practical NIST SP 800-61 Rev. 3 Post-Incident Evidence Log Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers.

Turn guidance into a standalone operating path with clear scope, accountable owners, evidence requirements, review cadence, and decision outputs.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this workflow to turn NIST SP 800-61 Rev. 3 into a practical evidence log for lessons learned and evidence preservation. It helps a reader capture the source, record the evidence, assign ownership, and make the decisions needed to review, preserve, and act on incident-related findings.

Section 1

Workflow steps for lessons learned and evidence preservation

Use this workflow as the minimum structure for an evidence log. It gives teams a simple path for recording source links, collecting supporting artifacts, and documenting the decision that follows each finding so the log can be reviewed and reused consistently.

  • 1 | Intake | Owner: requester and incident commander | Evidence: scoped request, system or supplier name, business objective, source question.
  • 2 | Source selection | Owner: risk or control lead | Evidence: external URL, short quote, applicability rationale, exclusions.
  • 3 | Evidence collection | Owner: implementation owner | Evidence: policy, test result, contract clause, scan output, incident log, or assessment record.
  • 4 | Decision | Owner: accountable executive or delegated risk owner | Evidence: approve, remediate, defer, accept risk, or escalate.
  • 5 | Review | Owner: assurance lead | Evidence: review date, next trigger, changes, residual risk, and open actions.
Sources for this answer
NIST SP 800-61 Rev. 3 Incident Response
Primary NIST final publication page for SP 800-61 Rev. 3.
NIST SP 800-61 Rev. 3 DOI
DOI for the April 2025 incident response publication.
NIST CSF 2.0 (CSWP 29)
Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
Recommended next step

Put this NIST SP 800-61 Rev. 3 guidance into practice

Use the cited sources to turn the guidance into scoped decisions, owners, evidence requests, and review checkpoints.

Assessment workflow
Open Assessment Autopilot for NIST SP 800-61 Rev. 3

Create source-linked tasks, evidence requests, and review checkpoints for this NIST SP 800-61 Rev. 3 scope.

Explore next step
Talk to Sorena
Review this NIST SP 800-61 Rev. 3 scope with Sorena

Check source coverage, ownership, evidence gaps, and next steps before publishing or operationalizing the work.

Explore next step
Section 2

Decision points for lessons learned and evidence preservation

The workflow should force explicit decisions where teams usually leave ambiguity. Each decision should cite the source and explain what evidence is enough.

  • Is the scope enterprise-wide, system-specific, supplier-specific, software-release-specific, or incident-specific?
  • Does the source create a required action, a recommended practice, or an informative reference?
  • What evidence demonstrates implementation and what evidence only demonstrates intent?
  • Who can accept residual risk and what escalation path applies?
Sources for this answer
NIST SP 800-61 Rev. 3 Incident Response
Primary NIST final publication page for SP 800-61 Rev. 3.
NIST SP 800-61 Rev. 3 DOI
DOI for the April 2025 incident response publication.
NIST CSF 2.0 (CSWP 29)
Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
Section 3

Evidence fields for lessons learned and evidence preservation

A reusable workflow is only useful if the evidence fields are consistent enough for audits, customer assurance, and independent review. Record the source, the claim, the owner, the evidence artifact, and the status together so each entry can be traced and updated without ambiguity.

  • Source URL and quote supporting the claim.
  • Claim text in reader language.
  • Owner, reviewer, due date, and review trigger.
  • Evidence artifact, storage location, version, and collection method.
  • Gap, corrective action, exception, or risk acceptance status.
Sources for this answer
NIST SP 800-61 Rev. 3 Incident Response
Primary NIST final publication page for SP 800-61 Rev. 3.
NIST SP 800-61 Rev. 3 DOI
DOI for the April 2025 incident response publication.
NIST CSF 2.0 (CSWP 29)
Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
Primary sources

References and citations

NIST CSF 2.0 (CSWP 29)
doi.org
Referenced sections
  • Primary NIST source for the CSF Core, Organizational Profiles, Tiers, and implementation approach.
"does not prescribe how outcomes should be achieved"
NIST SP 800-61 Rev. 3 DOI
doi.org
Referenced sections
  • DOI for the April 2025 incident response publication.
"incident response recommendations and considerations"
Related guides

Explore more topics

How should teams handle communications under NIST SP 800-61 Rev. 3 incident response?
How should teams handle communications under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response?
How should teams handle event vs. incident under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response?
How should teams handle lessons learned under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response?
How should teams handle post-incident evidence under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response?
How should teams handle reporting clocks under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
How should teams handle severity under NIST SP 800-61 Rev. 3 incident response?
How should teams handle severity under NIST SP 800-61 Rev. 3 incident response? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.
NIST SP 800-61 Rev. 3 Changes Guide
Practical NIST SP 800-61 Rev. 3 Changes Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
NIST SP 800-61 Rev. 3 compliance playbook
Practical NIST SP 800-61 Rev. 3 compliance playbook guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
NIST SP 800-61 Rev. 3 CSF 2.0 Incident Profile Guide
Practical NIST SP 800-61 Rev. 3 CSF 2.0 Incident Profile Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
NIST SP 800-61 Rev. 3 FAQ: practical implementation questions
Standalone NIST SP 800-61 Rev. 3 FAQ questions with source-linked answers, implementation checklists, and evidence guidance.
NIST SP 800-61 Rev. 3 incident communications: stakeholder matrix and notification templates
Practical NIST SP 800-61 Rev. 3 Communications and Escalation Guide guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
NIST SP 800-61 Rev. 3 Incident Response Playbook Template
Practical NIST SP 800-61 Rev. 3 Incident Response Playbook Template guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
NIST SP 800-61 Rev. 3 Severity Classification and SLA Model
Practical NIST SP 800-61 Rev. 3 Severity Classification and SLA Model guidance with source-linked decisions, owner checklists, evidence records, and implementation steps.
NIST SP 800-61 Rev. 3 vs CISA playbooks: practical side-by-side comparison
Compare NIST SP 800-61 Rev. 3 and CISA playbooks with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
NIST SP 800-61 Rev. 3 vs ISO 22301 business continuity: practical side-by-side comparison
Compare NIST SP 800-61 Rev. 3 and ISO 22301 business continuity with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
NIST SP 800-61 Rev. 3 vs ISO/IEC 27035: practical side-by-side comparison
Compare NIST SP 800-61 Rev. 3 and ISO/IEC 27035 with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
NIST SP 800-61 Rev. 3 vs NIS2 incident reporting: practical side-by-side comparison
Compare NIST SP 800-61 Rev. 3 and NIS2 incident reporting with side-by-side scope, owner, trigger, evidence, cadence, assurance, and decision-rule rows.
NIST SP 800-61 Rev. 3: escalation decision workflow for incident communications
A practical NIST SP 800-61 Rev. 3 Communications Escalation Workflow with steps, owners, evidence fields, decisions, and source-linked review triggers.
What should recovery include in a NIST SP 800-61 Rev. 3 incident response process?
Recovery should include restoring affected services, validating that the incident is contained, confirming monitoring is in place, communicating status, preserving evidence, and deciding when normal operations can safely resume.
Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3?
Which CSIRT roles should teams define under NIST SP 800-61 Rev. 3? Clear, source-linked guidance with practical evidence checks, owner decisions, and implementation steps.