What is a Security Incident Report?
A security incident report is a formal written record of an event that compromised or threatened the safety, security or integrity of a workplace, facility or system. It documents the who, what, when, where and why of the incident and captures the actions taken in response.
Security incidents range from unauthorized access, theft and physical altercations to trespassing, vandalism, workplace violence and cybersecurity breaches. Each type requires the same disciplined approach to documentation, factual, objective and complete.
For security officers and managers, the report serves multiple purposes. It creates an accurate record for internal investigations, supports disciplinary or legal proceedings, satisfies regulatory reporting obligations and helps identify patterns that can prevent future incidents. A well-written report is also one of the most important things a security professional can produce, because when an incident is reviewed months later, the quality of the documentation often determines the outcome.
What's Included in a Security Incident Report?
A complete security incident report captures the full picture of what happened, who was involved and what was done. Here's what every report should include:
Incident identification:
Report number: A unique reference for tracking and cross-referencing in logs and investigations
Date and time of incident: When the incident occurred, as precisely as possible
Date and time of report: When the report was completed
Location: The specific address, area or zone where the incident took place (e.g., Main Entrance, Car Park Level 2, Server Room B)
Incident type: Category of the event (e.g., unauthorized access, theft, assault, trespassing, data breach)
Personnel involved:
Reporting officer: Name, position and badge or ID number of the officer completing the report
Subjects involved: Names, descriptions and contact details of any individuals directly involved in the incident
Victims: Names and contact details of any individuals who were harmed or directly affected
Witnesses: Names and contact details of anyone who observed the incident
Incident description:
Narrative: A clear, factual, chronological account of what happened — what was observed, heard or reported, and in what order
Physical evidence: Description of any items, damage or physical conditions relevant to the incident
Supporting materials: Reference to any CCTV footage, photos, access logs or other documentation attached to the report
Response and actions taken:
Immediate actions: Steps taken to manage the situation, protect people or secure the scene
Notifications made: Who was contacted and when (e.g., supervisor, police, emergency services, IT security team)
Outcome: Status of the incident at the time of reporting ongoing, contained, referred or resolved
Sign-off:
Reporting officer signature: Certifying the accuracy of the report
Supervisor review signature: Confirming the report has been reviewed and accepted
Date of submission
How to Write a Security Incident Report
To fill out a security incident report, start at the scene. Collect as much factual information as possible while details are fresh names, times, descriptions of events and any physical evidence. Use a notepad or your mobile device if a printed form isn't immediately available, then transfer to the official report as soon as practicable.
When writing the report:
Start with the basic facts: date, time, location, and incident type.
Write the narrative in the first person and in chronological order. Describe only what you directly observed or were told by a reliable source. Attribute anything you didn't personally witness (e.g., "Witness Jane Lee stated that...").
Be specific. "The subject was approximately 180 cm tall, wearing a black jacket and grey pants, and was observed at 22:14" is more useful than "a man in dark clothing was seen at night."
Avoid jargon, abbreviations or acronyms that might not be understood by someone outside your team.
Document every action you took in response, including the exact times notifications were made and to whom.
Proofread before submitting. Errors, inconsistencies or missing information can undermine credibility in a legal or disciplinary context.
If your organization uses a specific form or reporting system, follow that format exactly. Consistency in format makes reports easier to review and supports pattern analysis across multiple incidents.
Example of a Security Incident Report
Report No .: SIR-2026-047
Date of incident : May 6, 2026
Time : 21:35
Location : Ground Floor Reception, Oakfield Corporate Centre.
Incident type : Unauthorized access attempt.
Reporting officer : T. Nguyen, Security Officer, Badge #204.
Narrative : At approximately 21:35, I was conducting a scheduled patrol of the ground floor when I observed an unknown male attempting to access the stairwell door adjacent to reception using what appeared to be a key card. The door did not open. The subject then attempted the same door twice more before noticing my presence. When approached, the subject stated he was visiting a tenant on Level 4. The subject was unable to produce valid identification or confirm the name of the tenant. I requested the subject remain in the reception area while I contacted the Level 4 tenant by phone. The tenant confirmed no visitor was expected. The subject was escorted from the premises at 21:49 without further incident. CCTV footage covering the reception area from 21:30 to 21:55 has been saved and referenced as Attachment 1.
Actions taken : Supervisor M. Chen notified at 21:50. No police attendance requested. Access logs reviewed, no successful entries recorded. Incident logged in site security register.
Outcome : Subject removed from premises. No further threat identified at time of reporting.
