Reporting incidents from SOW and SIR Workspace in DRIR

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Reporting incidents from SOW and SIR Workspace in DRIR

This process applies when a high-impact, high-urgency incident is created or escalated to high priority within the Service Operations Workspace (SOW) of Incident Management or the Security Incident Response Workspace (SIR Workspace). Such incidents are classified as major incidents and must be logged and reported through the Digital Resilience Incident Reporting (DRIR) application.

Show full answer Show less

Incident Reporting Workflow

Incident Verification: Confirm whether the incident qualifies as a major ICT-related incident, a security breach, or an operational payment issue, and assess if critical services are impacted.
Incident Classification: Incidents impacting critical services or involving malicious unauthorized access are automatically classified as major.
Incident Record Creation: Create a detailed incident record including case number, source, priority, requester, and document actions in the Activities panel.
Notification: Email notifications are sent to the DORA analyst to update them on case progress.
Initial Report: Automatically generated within 24 hours of major classification to capture initial incident data.
Response Activation: Initiate response steps to address the incident.
Intermediate Report: Generated every 72 hours if the incident remains open, updating incident data and reviewing response progress.
Response Review: Ongoing evaluation of response steps while the incident is active.
Final Report: Created one month after classification, provided the incident is closed, including enriched notes and final updates.

Incident Reporting Timelines

Report Type	Timeline (from major classification)
Initial report	Within 24 hours
Intermediate report	Every 72 hours (cyclical until incident closure or termination conditions met)
Final report	One month

Case Generation and Status Tracking

When an incident is marked as critical in SOW or SIR Workspace, a corresponding case is automatically created in the DRIR application. The regulatory reporting status of the case (Potentially reportable, Reportable, or Not reportable) is visible in the Details panel of the case record within the Operational Resilience Workspace, as well as in the Regulation Mappings related list. Note that the previous dedicated 'Reporting status' form section has been removed and its information is now consolidated in the Details panel.

Practical Benefits for ServiceNow Customers

This integration streamlines the reporting of major incidents, ensuring compliance with regulatory requirements.
Automated report generation and notifications facilitate timely and consistent communication with stakeholders.
Clear timelines and workflows support effective incident management and resilience planning.
Visibility into case status and regulatory classification helps customers monitor and manage incident reporting obligations efficiently.

When a high-impact, high-urgency incident is created or an existing incident is marked as high priority in the Service Operations Workspace (SOW) of Incident Management or Security Incident Response Workspace (SIR Workspace), it is classified as a major incident. These major incidents are then logged and reported in the Digital resilience incident reporting application.

Incident reporting workflow

The following example shows a sample workflow for reporting an incident in Incident Management. Incident workflow.

Incident verification: Determine if the reported incident is a major ICT-related incident, a security breach, or an operational payment issue. Assess whether any critical services are impacted.
Incident classification: If the critical services affected criterion is not met, the incident is not classified as major. If there is any report of malicious unauthorized access to the network and information systems, the incident is automatically classified as major.
Incident record creation: Create an incident record. The Details tab includes information such as the case number, source, state, subtype, priority, requester, and other relevant details. Review actions related to the case which are documented in the Activities panel on the Details tab.
Notification: Send an email notification to the DORA analyst to update them on the progress of the case.
Initial report: Automatically collect initial report data. Generate an initial report no later than 24 hours once the incident is classified as major.
Response activation: Activate the response steps for the incident.
Intermediate report: Review the incident report, if the incident has been open for more than three days. Update the incident data in the intermediate report, which is generated no later than 72 hours after the incident is classified as major.
Response review: If the incident is still open, review the response steps.
Final report: Verify if the incident is closed and enrich the notes in the record. Update the final report with the revised notes, which is generated one month after the incident is classified as major.

Incident reporting timelines

To report an incident, the following timelines are considered.

Table 1. Reporting timelines
Report type	Timeline (From the time the incident is classified as major)
Initial report	24 hours
Intermediate report	72 hours
Final report	1 month

Case generation in Digital resilience incident reporting

When an incident is marked as critical in the Service Operations Workspace of the Incident Management application as shown in the example, a case is generated in Digital resilience incident reporting.

The SIR Workspace deploys a similar workflow for reporting high-impact incidents which are then logged in Digital resilience incident reporting.