How to Write an Incident Report: A Step-by-Step Guide for Security Teams
A good incident report does more than record what happened. It protects your organisation, supports any follow-up investigation, demonstrates compliance, and helps prevent the same incident from happening again.
Yet incident reporting is one of the areas where security teams most commonly fall short. Reports are incomplete, written too long after the event, inconsistent in format, or so vague they are effectively useless when reviewed weeks later. When a report needs to hold up in court, satisfy an insurer, or inform a serious internal investigation, those gaps matter enormously.
This guide walks through how to write an incident report correctly, what to include, common mistakes to avoid, and how to make the process faster and more consistent for your whole team.
What Is an Incident Report?
An incident report is a formal written record of an event that occurred on site. It captures the facts of what happened, when, where, and who was involved, along with the immediate response taken and any follow-up actions required.
Incident reports are used across security, health and safety, facilities management, and operations. They serve as the primary source of documentation for anything from a minor slip to a serious violent incident, and they feed into case management, insurance claims, regulatory compliance, and internal analysis.
Why Getting Incident Reports Right Matters
Before covering how to write one, it is worth being clear on what is at stake.
Legal protection. A well-written incident report, completed promptly and accurately, is a powerful piece of evidence that your team responded appropriately to an event. A poorly written one, or no report at all, can create significant legal exposure.
Insurance claims. Insurers rely on incident reports to assess claims. Missing information, inconsistencies, or reports filed long after the event can complicate or invalidate claims.
Regulatory compliance. Depending on your sector and the nature of the incident, you may be legally required to report certain events to external bodies, such as RIDDOR for workplace injuries in the UK. The incident report is the foundation of that process.
Internal accountability. Consistent, thorough reporting creates a record that managers, security directors, and facilities teams can use to identify patterns, assess risk, and make operational improvements.
Investigations. If an incident escalates to a formal investigation, whether internal or involving police, the incident report is one of the first documents reviewed. Its accuracy and completeness can determine how effectively the investigation proceeds.
Read: Complete Guide to Incident Management for Security and Facility Teams
Step 1: Respond First, Report Second
The incident report is written after the immediate response, not during it. Your first priority is always to manage the situation: ensure safety, call for assistance if needed, and follow your response protocols.
That said, the sooner you begin recording information, the better. Memory degrades quickly under stress, and details that seem obvious in the moment are easily forgotten or distorted within hours. If you can make brief notes during or immediately after the incident, do so. Where it is safe and appropriate to do so, capturing photos or short videos of the scene can also be invaluable; these can be uploaded directly to your incident report either during the incident or immediately after, providing visual evidence and context that written notes alone cannot always convey. These records form the basis of your formal report.
As a general rule, incident reports should be completed on the same day as the incident, ideally within a few hours of it occurring.
Step 2: Gather the Facts Before You Write
Before drafting the report, gather all the information you need. Trying to write and investigate simultaneously leads to incomplete or inaccurate reports.
The core facts you need are:
- What happened. A clear, factual description of the incident. What type of event was it? What occurred, in what sequence?
- When it happened. The date and time of the incident, and if relevant, the time it was discovered or reported.
- Where it happened. The specific location within the building or site. Be precise: not just “the car park” but which level, which entrance, which section.
- Who was involved. Names and contact details (where available) for anyone directly involved, including victims, witnesses, suspects, and any members of your team who responded.
- What action was taken. What did your team do in response? Who was notified? Were emergency services called? Was anyone assisted or removed from the premises?
- What evidence exists. CCTV footage, photographs, physical evidence, witness statements. Note what was captured and where it is stored.
If you are taking statements from witnesses or others involved, do so as soon as possible after the incident while recollections are fresh.
Step 3: Write the Report
With your facts gathered, you are ready to write. A well-structured incident report has the following sections.
Incident Details
Start with the basic administrative information:
- Report reference number
- Date and time of the incident
- Date and time the report was written
- Location of the incident
- Incident type or category (using your organisation’s classification system)
- Severity level
Persons Involved
List everyone connected to the incident, with their role clearly identified (victim, witness, suspect, responding officer, etc.). Include names, contact details, and any relevant identifying information. For suspects or individuals who could not be identified, include a physical description.
Incident Description
This is the core of the report. Write a clear, factual, chronological account of what happened. Cover:
- What you observed when you arrived or became aware of the incident
- The sequence of events as they unfolded
- What actions were taken by your team, and when
- The outcome of the immediate response
Keep the language objective. Describe what you saw, heard, and did. Avoid speculation, opinion, or emotive language. If something is uncertain, say so explicitly rather than guessing.
Write in the first person if you were present: “I observed…” rather than “it was observed…”. This is clearer and more accountable.
Evidence and Supporting Information
Note all evidence captured in connection with the incident:
- CCTV footage (camera reference, time range, where footage is stored)
- Photographs taken at the scene
- Physical evidence collected
- Witness statements taken
- Any other relevant documentation
If evidence was handed to police or another party, record who received it, when, and their contact details.
Response and Actions Taken
Summarise the response to the incident:
- Who was notified, and when (line manager, duty manager, emergency services, etc.)
- What actions were taken (evacuation, medical assistance, site lockdown, etc.)
- Whether emergency services attended, and if so, any reference numbers they provided
Follow-up Actions Required
Note anything that still needs to happen as a result of the incident:
- Further investigation
- Maintenance or repair work
- Review of access controls or procedures
- Referral to a case management process
- External reporting requirements (RIDDOR, police report, etc.)
Assign a responsible owner and a deadline for each action where possible.
Declaration
The report should be signed off by the officer who completed it, with their name, role, and the date and time of completion. If the report is reviewed or countersigned by a supervisor, include their sign-off as well.
Step 4: Review Before Submitting
Before submitting your report, read it back carefully. Check for:
- Accuracy: does everything match your notes and what actually happened?
- Completeness: are any fields missing or sections left blank?
- Clarity: would someone who was not present understand exactly what happened?
- Consistency: does the timeline make sense? Do the facts align with each other?
- Objectivity: have you kept opinion and speculation out of the narrative?
A second pair of eyes is valuable, particularly for serious incidents. Ask a supervisor or colleague to review the report before it is finalised.
Common Incident Report Mistakes
Even experienced security officers make these errors. Being aware of them helps you avoid them.
Writing too late. The longer the gap between the incident and the report, the less reliable the account. Complete reports the same day, every time.
Being vague. “A disturbance occurred in the lobby” tells almost nothing. “At approximately 14:30, a male individual entered the main lobby and became verbally aggressive towards the reception staff, demanding access to the third floor” is usable.
Including opinion as fact. “The individual appeared to be intoxicated” is an observation. “The individual was drunk” is a conclusion. Stick to what you observed, not what you inferred.
Leaving fields blank. Every section exists for a reason. If information is genuinely unavailable, note that explicitly rather than leaving it empty. “Witness contact details: not obtained at the time of incident” is more useful than a blank field.
Using jargon or abbreviations. Reports may be read by people outside your immediate team, including insurers, lawyers, or regulators. Write plainly.
Inconsistency between the report and other records. If your report says emergency services were called at 15:10 but the CCTV shows the ambulance arriving at 14:55, that is a problem. Cross-check your timings against available evidence before submitting.
Failing to note follow-up actions. The report should not just describe what happened. It should identify what needs to happen next and who is responsible.
Making Incident Reporting Consistent Across Your Team
Individual reports are only as useful as the system behind them. If different officers report incidents differently, using different formats, different levels of detail, and different terminology, the resulting data is difficult to use for analysis or audit.
Consistency comes from three things: a standard template, clear training, and a process that makes reporting straightforward.
A digital incident management platform addresses all three. Rather than relying on paper forms or generic word processing documents, officers log incidents through a structured workflow that prompts them for the right information, applies your severity classification automatically, and routes the report to the right people. The result is faster, more complete, and more consistent reporting across your entire operation.
It also creates a searchable, auditable record that is far more useful than a folder of paper forms when you need to review incidents, respond to a legal request, or demonstrate compliance to an auditor.
Key Points
Writing a good incident report is a core skill for any security professional. The fundamentals are straightforward: respond first, gather facts quickly, write clearly and objectively, include everything relevant, and submit promptly.
Done consistently, incident reporting protects your organisation, supports accountability, and gives your team the data they need to continuously improve operations.
If you’re looking to change the way you report incidents, contact our team today. Or explore our Incident Management software here.
+44 (0)20 3989 4859 
info@zinc.systems 