Compliance Simulator · Incident Management

A Breach in the Building

A hands-on case study — respond to a live security incident step by step using Cyberday's incident management workflow.

🏭 NordChem Oy

🎭 You play the Security Admin

ISO/IEC 27001:2022

⏱ ~45 min · 4 Tasks · 400 XP

Before you start — Create your Cyberday account

This module uses a live Cyberday workspace embedded on the right side of your screen. The signup page cannot be embedded, so you need to create your account in a separate tab first. Once signed in there, the embedded panel in this module will work automatically.

Click the button below — it opens app.cyberday.ai in a new tab.
Choose "Sign up" and register with your email.
Complete the email verification and finish the short signup form.
Leave that tab signed in, then return here.

Create Cyberday account ↗ Already have an account? Just sign in at app.cyberday.ai in another tab, then open the panel here.

The Situation

What Happened

It is Tuesday morning. You are the security admin at NordChem Oy. An employee in the sales department has just reported something suspicious — and your phone is already buzzing.

Jarkko Virtanen IT Manager

"We've got a problem. One of the sales team received an email that looked like it was from us — IT support — asking them to verify their login details. They clicked the link and entered their credentials. About two hours later our monitoring flagged login activity from an IP address in a country we don't operate in."

Jarkko Virtanen IT Manager

"The employee has already reported it through the Guidebook. It's sitting in your Security Incidents list right now. The account has been suspended but we don't know yet what the attacker accessed. You need to work through this."

The incident has been reported — now it's your job to manage it

Reported by: Laura Mäkinen, Sales Team
Submitted via: Cyberday Guidebook — Report an incident
Time: Tuesday 08:47

Incident Report — Suspicious login / possible account compromise

I received an email yesterday afternoon that appeared to be from IT support asking me to verify my account. The email looked legitimate — it had the company logo and formatting I recognised. I clicked the link and entered my username and password.

This morning Jarkko told me there was unusual login activity on my account overnight. I think my credentials may have been stolen. I am really sorry — I did not realise it was fake at the time.

Laura Mäkinen
Sales Team, NordChem Oy

How this works: Keep this panel open alongside Cyberday. Work through each task in order — the incident is already in your Security Incidents list. Your job is to take it from Detection all the way through to Closed.

Before You Start

How Incident Management Works in Cyberday

Before you start working through the incident, take a moment to understand the structure. Every incident in Cyberday follows the same five-stage workflow — knowing this will make the tasks faster and clearer.

What is Incident Management?

Incident management is a structured approach to detecting, responding to, and resolving security incidents. The goal is to minimise the impact of an incident — containing it quickly, restoring normal operations, and making sure it doesn't happen again.

Without a structured process, organisations respond in a panic — steps get missed, evidence gets lost, and the same incident can happen again. Cyberday's workflow guides you through every stage so nothing falls through the cracks.

The Five-Stage Incident Workflow

Every incident in Cyberday moves through five stages. Each stage must be completed and marked as done before the incident progresses to the next one.

Stage	What happens
Detection	The incident is reported and the owner is notified. The incident appears in the Security Incidents list.
Described	The admin accepts the incident, fills in what happened, sets the owner and priority, and marks section 01 complete.
Effects	The impact is assessed — how critical was it, was data accessed, how urgent is the fix. Section 02 is marked complete.
Improvements	Actions are planned to prevent recurrence. Response steps are documented. Section 03 and 04 are completed.
Closed	All measures are reviewed and implemented. The incident is marked as closed.

Where to Find Incidents in Cyberday

Go to Organisation Dashboard → Incident Management theme → Documentation → Security Incidents. This is where all reported incidents appear. At the top of the list you can filter by workflow stage to see what needs attention.

When an incident is reported by an employee through the Guidebook, the admin assigned to incident management receives an immediate notification — by email, or via Teams or Slack if those integrations are active.

Knowledge check

What is the first stage of the incident workflow in Cyberday — the moment an incident is reported and the owner is notified?

Described

Detection

Effects

Improvements

Knowledge check

Where do you find reported incidents in Cyberday?

Organisation Dashboard → Frameworks page

The employee Guidebook home page

Organisation Dashboard → Incident Management theme → Documentation → Security Incidents

Organisation Dashboard → Taskbook → Needs attention

Task 1 · 10 minutes

Describe the Incident

Organisation Dashboard → Incident Management → Documentation → Security Incidents

Laura's report is sitting in the Security Incidents list at the Detection stage. Your first job is to accept it and fill in the details — what happened, who owns it, and how serious it appears at this stage.

Describe the Incident — Section 01

⏱ 10 min

✓ Complete

Objective Accept the reported incident, fill in section 01 with the incident details, assign an owner, set the priority, and mark the section complete to move the incident to the Described stage.

Go to Organisation Dashboard → Incident Management theme → Documentation → Security Incidents.
You will see Laura's report listed at the Detection stage. Use the filter at the top to confirm you are looking at the right stage.
Click on the incident to open it. Click Accept to confirm this is a real incident and begin treatment.
Until you accept the incident, you cannot begin filling in details or moving it through the workflow.
Fill in the details under "01 What was the type of incident". Based on Laura's report, select or describe the incident as a phishing attack resulting in compromised credentials.
Be specific — a well-described incident is much easier to analyse and learn from later.
Set yourself as the owner and assign a priority. Remember: the person set as owner will receive all future notifications for this incident.
Once all fields are filled, click Mark as done on section 01. The incident status will automatically update to Described.

Knowledge check

Based on what happened to Laura, what is the correct incident type to select in section 01?

Ransomware attack on company servers

Physical theft of a device

Phishing attack resulting in compromised credentials

Accidental data deletion by an employee

Knowledge check

Why is it important to set a responsible owner on an incident in Cyberday?

It automatically closes the incident after 24 hours

The owner receives immediate notifications when incidents are reported and is responsible for treatment

It locks the incident so other users cannot view it

It increases the compliance score for the framework

Key Takeaways

Accepting and documenting an incident immediately creates an audit trail and triggers the response workflow
Accurate incident type classification determines which response procedures and reporting obligations apply
Assigning a responsible owner ensures clear accountability so decisions happen quickly under pressure

Task 2 · 10 minutes

Assess the Effects

Section 02 — What kind of effects did the incident have?

The incident is now described. Jarkko has completed his initial investigation and has news — it is not good. The attacker was active in Laura's account for over three hours before being detected. They accessed the sales folder, which contains customer contracts and pricing data.

Jarkko Virtanen IT Manager

"I've pulled the access logs. The attacker browsed multiple folders and downloaded several files from the sales shared drive — customer contracts, pricing sheets, a few internal reports. This is serious. The account had access to more than it probably should have. We need to classify this properly."

Assess the Effects — Section 02

⏱ 10 min

✓ Complete

Objective Complete section 02 of the incident card by assessing how critical the incident was, evaluating the effects on the organisation, and confirming whether unauthorised data access occurred.

Open the incident card and move to section 02 — "What kind of effects did the incident have?"
Answer "Was the incident critical?" — based on Jarkko's findings, consider whether this affects important functions of the organisation. Customer contracts and pricing data are core commercial assets.
Answer "Was malicious unauthorised access to data identified?" — Jarkko confirmed the attacker browsed and downloaded files. Answer accordingly.
Once both fields are completed, click Mark as done on section 02. The incident will automatically move to the Effects stage.

⚠️ Be honest in your assessment. Underclassifying an incident — marking it as low impact when data was accessed — can lead to an inadequate response, missed regulatory reporting obligations, and recurring incidents. If data was accessed, it must be recorded as such.

Scenario

The attacker had access to Laura's account for over three hours and downloaded customer contracts and pricing data. How should you answer "Was the incident critical?"

No — only one employee account was affected, so the impact is limited

No — the account has been suspended so the threat is gone

Yes — customer contracts and pricing data are core commercial assets and their exposure affects important functions of the organisation

Not sure — wait until a full forensic audit is complete before deciding

Scenario

Jarkko confirms the attacker browsed multiple folders and downloaded files from the shared drive. How should you answer "Was malicious unauthorised access to data identified?"

No — the attacker used valid credentials so technically the access was authorised

No — we cannot confirm what was read vs just opened

Yes — the attacker obtained the credentials through deception, making all subsequent access unauthorised regardless of which credentials were used

Yes — but only if the attacker was from outside the EU

Key Takeaways

Honest criticality classification ensures your response matches the real severity — underclassifying delays necessary action
Confirming unauthorised data access can trigger GDPR breach notification duties within 72 hours
Impact assessment is not just internal — it determines what you must report to regulators and affected parties

Task 3 · 12 minutes

React to the Incident

Section 03 — How have we reacted to the incident?

The effects have been assessed and the incident is confirmed as serious. Now you need to document how NordChem has responded — what response plans were deployed, which existing tasks relate to this incident, and what other steps were taken to contain the situation.

React to the Incident — Section 03

⏱ 12 min

✓ Complete

Objective Complete section 03 of the incident card by documenting the response — including which plans were deployed, which tasks are linked, and what other incident response actions were taken.

Open section 03 — "How have we reacted to the incident?"
Review the Deployed incident response plans field. In a real scenario, you would click Edit to link your existing continuity plan from your ISMS here — for example a plan covering cyber attacks or data breaches. This connects the incident to your documented procedures.
If NordChem does not yet have a continuity plan in Cyberday, this is a gap to note for your improvement actions in the next task.
Review the Linked tasks field. In a real scenario, you would link relevant tasks already in your ISMS — for example tasks related to access control, email security, or account management. This shows which areas of your security program are relevant to this incident.
Linking tasks here helps you see gaps in your current ISMS — if the linked task is still "Untreated", it may have contributed to the incident occurring.
Review the Security risks associated field. In a real scenario, you would link the relevant risk from your risk register — for example a risk covering phishing or credential theft. This keeps your risk register connected to real events.
Fill in the Other incident response field. This is where you describe the immediate actions taken to contain and manage the incident. Click Mark as done on section 03 when complete.

About the linked fields: The Edit buttons for Deployed incident response plans, Linked tasks, and Security risks associated all connect the incident to existing items in your ISMS. For example, you might link a risk item called "Phishing — credential theft" from your risk register, or a task called "Access control review". These links are what make Cyberday powerful — incidents don't live in isolation, they connect back to your full security program.

Scenario

Laura's account has been suspended and the immediate threat is contained. What should you document under "Other incident response" as the most complete and appropriate set of actions for this phishing incident?

Delete Laura's account permanently and replace her company laptop

Wait and monitor — the account is suspended so no further action is needed at this stage

Suspend the company email server until a full investigation is complete

Force a company-wide password reset, enable MFA on all accounts, notify affected customers, and send an immediate security awareness notice to all employees

Key Takeaways

Effective incident response balances speed with proportionality — contain the threat without disrupting unaffected systems
Linking incidents to existing ISMS elements (tasks, risks, plans) shows how your security system works in practice
Documenting immediate actions creates evidence that your organisation responded appropriately and promptly

Task 4 · 10 minutes

Learn From the Incident

Section 04 — What did we learn from the incident?

The immediate response is done. Now comes the most important part — making sure this never happens again. Section 04 is your post-incident review. This is where NordChem's ISMS actually improves as a result of what happened.

Maria Lindqvist CEO

"I need to understand how this happened and what we are doing to make sure it does not happen again. The board will ask the same question. I want a clear answer."

Learn From the Incident — Section 04

⏱ 10 min

✓ Complete

Objective Complete section 04 by documenting the root cause, weak points identified, and improvements planned. Then close the incident and review the auto-generated incident report.

Open section 04 — "What did we learn from the incident?"
Fill in Root cause — what was the underlying reason this incident was able to occur? Think beyond "the employee clicked a link."
A strong root cause analysis goes deeper — why was the employee not trained to recognise phishing? Why was MFA not enforced? Why did the account have access to so many files?
Fill in Weak points — what gaps in NordChem's security program made this incident worse or harder to detect?
Review the Linked security systems, Connected improvements, and Updated or new tasks fields. These use Edit to link directly to your ISMS — see the note box below for guidance on what to link here.
Fill in Incident response analysis — how well did the response go? What could have been faster or handled better?
Once section 04 is complete, mark it done. Then mark the incident as Closed. Finally go to Incident Management theme → Reports and open the auto-generated incident report to review the full record.

About the linked fields in section 04:

Linked security systems — Click Edit to link the specific systems involved in this incident, such as the Microsoft 365 email system or the shared sales drive. This connects incidents to your asset register.

Connected improvements — Click Edit to link a formal improvement item. For this incident you might create one called "Roll out MFA to all user accounts" or "Restrict shared drive access by role."

Updated or new tasks — Click Edit to link or create tasks that directly address the gaps found. For example: "Activate phishing awareness guideline for all employees" or "Review and tighten access control permissions." These tasks will then appear in your ISMS Taskbook for follow-up.

Scenario

What is the most accurate root cause of this incident at NordChem?

A vulnerability in NordChem's firewall allowed the attacker to intercept credentials

The employee intentionally shared their password with a third party

No phishing awareness training was in place, MFA was not enforced, and account permissions were broader than necessary

The email filtering system failed to block the phishing email

Knowledge check

Put the five incident workflow stages in the correct order from start to finish:

⋮⋮ Effects

⋮⋮ Closed

⋮⋮ Detection

⋮⋮ Improvements

⋮⋮ Described

🏆

Incident Closed!

You have taken NordChem's phishing incident from Detection all the way through to Closed — describing what happened, assessing the effects, documenting the response, and turning it into lasting improvements in the ISMS. Laura's account is secure, MFA is rolling out, and the organisation is better prepared for next time.

Total XP

Tasks Completed

Checks Passed

Time Spent

View All Certificates

What's next?

Continue Learning

Basics of ISMS

GDPR · ~75 min · 5 tasks

→

Put it into practice

Strengthen your incident response in Cyberday

Set up real incident workflows for your organisation

→

Key Takeaways

Root cause analysis must go deeper than surface symptoms — "employee clicked a link" is not a root cause
Every incident is an opportunity to strengthen your ISMS through concrete, tracked improvements
Closing the loop (Detection to Closed) demonstrates mature incident management to auditors and stakeholders