Phase 1
Identify & triage
Capture the incident, make it visible, and decide how urgently it needs attention.
- Detection
- Logging
- Categorisation
- Prioritisation
Incident management restores normal service as quickly as possible after disruption, while minimising business impact and protecting service quality.
Process overview
Each incident moves through three phases - from first signal to closed record - so work stays visible, prioritised, and resolved with minimal business impact.
Phase 1
Capture the incident, make it visible, and decide how urgently it needs attention.
Phase 2
Diagnose the issue, bring in the right expertise, and restore normal service as quickly as possible.
Phase 3
Confirm service is restored, close the record accurately, and pass learning to improvement activity.
ITIL practice
Incident management is one of the core ITIL service management practices. Its purpose is to restore normal service operation as quickly as possible after an unplanned interruption or reduction in service quality, while limiting the impact on the business.
In ITIL terms, an incident is an unplanned interruption to a service or reduction in service quality. The practice is not about finding root cause-that is problem management-but about timely restoration, clear communication, and protecting users and the business while service is impaired.
A mature incident management capability typically includes:
Incident management sits alongside event management (detection), the service desk (user contact), problem management (root cause), and change management (controlled fixes). Done well, it gives the organisation confidence that disruption will be handled calmly, communicated honestly, and learned from.
ITIL v5
ITIL v5 does not replace the fundamentals of incident management. Restoration, prioritisation, and communication remain the heart of the practice. What changes is the context in which incidents are managed.
Our reading of ITIL v5 is that incident management is positioned more explicitly within operational resilience and value protection-not as a ticketing workflow, but as part of how the organisation responds when service fails to meet expectations.
ITIL v5 places greater emphasis on integrated operations: monitoring, events, automation, and AI-assisted analysis. Incident managers should expect more signal from tooling and need clear rules for what becomes an incident versus an event or alert.
Major incident communication and transparency are treated as first-class concerns. Declaring a major incident, coordinating response, and keeping business and technical stakeholders aligned is not optional ceremony-it protects reputation and decision quality.
Post-incident review and feedback into problem and change management are strengthened. Incidents are data about service health; ITIL v5 encourages organisations to treat that data as input to improvement, not as a volume metric to minimise.
For teams already aligned to ITIL 4, the practical takeaway is continuity with sharper edges: better integration with monitoring and automation, clearer accountability during major incidents, and stronger links to improvement. Re-certifying or re-reading the framework is worthwhile, but most organisations will gain more from tightening how they run incidents today than from renaming process steps.
Major incident
When disruption is significant, a major incident response brings structured coordination, clear ownership, and stakeholder communication - regardless of ticket priority.
Major incident managementMeet Ashley Jones, our virtual Incident Manager. Ashley represents how we approach incident coordination, major incident response, and service restoration in delivery.
Incident Manager
How we coordinate incident response and restore service under pressure.