What is Incident Management?

Incident management (IM) is the process that IT teams use to respond to an unplanned service interruption. Unexpected disruptions occur due to incidents like loss or degradation of network connectivity, a scheduled task (like a backup task) not being performed, or a nonresponsive API. The incident management process tries to quickly restore the regular operation of the IT service and minimize the business impact. In the process, the team detects and investigates incidents, resolves problems, and documents the steps they take to restore the service.

Why is incident management important?

Incident management guides IT teams on the most appropriate response for any incident. It creates a system so IT teams can capture all the relevant details for further learning. You can consider incident management as the playbook to restore normal operations as swiftly as possible with minimal disruption to internal and external clients.

Without systems in place, incident recovery inevitably leads to repeated mistakes, misused resources, and a greater negative impact on the organization. Next, we discuss some ways you benefit from incident management.

Reduce incident occurrence

By having a playbook to walk through in the event of an incident, teams can resolve incidents as fast as possible. At the same time, incident management also reduces occurrence over time. When you identify risks early on in the IM process, it reduces the chance of incidents in the future. Capturing the complete incident forensics helps with proactive remediation and helps prevent similar incidents from occurring later.

Improved performance

When you use effective and sensitive monitoring in IT incident management, you can identify and investigate minor reductions in quality. You can also discover new ways to improve performance. Over time, your IT team can judge the quality of service incident identification patterns, which can lead to predictive remediation and continuous service.

Effective collaboration

Different teams often have to work together for incident recovery. You can improve collaboration significantly by outlining communication guidelines for all parties within the incident response framework. You can also manage stakeholder sentiments more effectively.

What are the events that require incident management?

The term incident management is not used exclusively in the IT field. Outside of IT, you will hear of IM in fields such as emergency services, large-scale events management, and plant operations.

For the purpose of this article, we refer to IM within the context of IT service management (ITSM). In this context, incident management focuses on the management activities regarding quality of service and customer service itself.

Next, we discuss different IT events within the scope of IM in ITSM.


Within incident management, incidents can be defined as unexpected events that cause a drop in the expected or agreed-upon quality of the IT service. The scale of the incident can be small or large, and you may indicate criticality. For instance, the drop in service quality could be minimal and confined to a specific geographic location. Or the service may experience a complete outage across numerous regions.


A problem refers to the underlying cause of the incident, which is discovered after further investigation and is necessary for full incident resolution. For instance, if a web server is running slowly, the problem might be a router misconfiguration at the data center or a severed network cable at the perimeter.


In IM, a change refers to when a service itself is changing to improve quality or add new features, for example. During the change period, the rollover must be handled carefully to avoid or minimize disruption to normal business operations. This includes advising clients of anticipated or potential service interruptions.

Service request

A service request is a customer-initiated request within the bounds of the provider-client agreement terms. The request should be carried out without disruption to normal operations.

How does incident management work?

Incident management uses a set of documented processes that clearly outline what needs to be done to minimize the negative impact and duration of IT disruption. Apart from the technical management of what went wrong, it also includes the management of customer, user, and stakeholder expectations during an incident.

For customers, service level agreements (SLAs) clearly define expected uptime guarantees, resolution times, and communication channels for incidents. It requires comprehensive incident management on the part of the service provider to meet their SLA terms and conditions.

Read about SLAs »

IT incident management frameworks

There are various frameworks that organizations use to model their IM. Two examples are Incident Management from IT Infrastructure Library (ITIL) 4 and the Cybersecurity Framework from the National Institute of Standards and Technology (NIST). These frameworks may be used as-is or extended to adapt to unique business environments, services, and customer and stakeholder communications standards.

Incident management software is often used to deploy a framework within an organization. The exact framework used depends on the services offered.


What are the steps in the incident management process?

The steps involved in incident management processes depend on the framework used within the organization. Next, we discuss the main steps in many common incident management lifecycle frameworks.

Identify risk

Identifying critical assets, systems, data, and other resources determines where the greatest risks to the business lie. In the context of providing services to clients, it involves identifying their most valuable systems and assets.

Protect assets

Once assets have been identified, organizations strengthen security and performance controls. For example, an application could be deployed across several regions for ongoing availability in the event of regional outages. 

Detect incidents

Systems must be in place to monitor the state of critical assets so that any incidents can be identified in real time. Organizations must be proactive in monitoring anomalies; it’s usually not preferred to first learn of an outage from a customer reporting it themselves. The emphasis is on proactive remediation.

Respond to incidents

Once an incident is detected, you must stop any disruption right away. If this isn’t possible, you can follow a process to contain or limit the impact. You may also have to activate secondary systems so operations can resume even if there is no quick fix.  Much of this may be automated, depending on the nature of the incident and current incident management tools.

Recover from incidents

In the recovery phase, analysis of the incident begins. You capture lessons learned, formulate improved response plans, and remediate problems and processes. Major incidents may need significant recovery efforts. The following image shows one of the incident management processes that Amazon Web Services (AWS) uses.

What are incident management best practices?

Best practices help organizations to operate at the most mature level within a given business unit or strategic area. By following best practices in incident management systems, you can provide the best possible service to your customers.

Develop escalation policies

You should be able to categorize incidents according to their priority and severity to guide timelines, remediations, and investigations. You should enact escalation policies when incident response is not going as expected or if a major incident of high priority or severity occurs. Without these policies, your team might waste time deciding who to contact and what to do.

Plan communications in detail

Stakeholders, from the IT team to your end users, should be kept informed about the status of incidents. It’s also valuable to have clear communication channels so those impacted know where to go for updates or to report new incidents. By having clear communication plans in place, you can establish trust and avoid misplaced blame. Critical incidents are always handled with diplomacy. 

Perform root cause analysis

After resolving an incident, you should perform root cause analysis to understand why the incident occurred in the first place. This helps to identify gaps or vulnerabilities in the system, which you can address to prevent similar incidents in the future. The lessons learned from each incident are helpful in continually improving the IT infrastructure and processes.

Adopt chaos engineering practices

Chaos engineering is a discipline in software engineering where systems are intentionally subjected to disruptive conditions—such as server failures, network latencies, or resource limitations. Building chaos into systems tests their resilience and also strengthens an organization’s incident response and management processes. This is a similar technique to deploying ethical hacking in cybersecurity incident management.

How can AWS support your incident management requirements?

AWS has a range of services that help organizations deliver effective incident management within AWS and hybrid environments.

AWS Incident Detection and Response offers AWS Enterprise Support customers proactive monitoring and incident management for their selected workloads. Working with experts, you define critical metrics, alarms, and prioritization schedules for an IT incident management system to accelerate recovery in the event of an incident.

AWS Managed Services (AMS) helps protect your organization's information, as well as its infrastructure, with AWS incident response and resolution capabilities. AMS can be used as a way to outsource your AWS IT incident management, so your organization can focus on the core business. Here’s what you can do with AMS:

  • Request help with operational issues and requests at any time through the AWS Support Center in the AWS console
  • Access 24/7 support with response time dependent on your selected account Service Tier (Plus, Premium)
  • Receive proactive notifications of important alerts and questions using the same mechanisms

As part of the AWS Well-Architected Framework, we also provide clear guidance for cloud incident management. It’s a good resource to help plan incident management for organizations offering their own IT services that use AWS cloud services. The AWS Security Incident Response Guide is another useful material for security-related incidents.

Get started with incident management on AWS by creating an account today.

Next Steps with AWS

Check out additional product-related resources
Learn about Management and Governance Services  
Sign up for a free account

Instant get access to the AWS Free Tier.

Sign up 
Start building in the console

Get started building in the AWS management console.

Sign in