A
lessons learned review (post-mortem) analyzes what happened, why, how it was detected, and how to prevent recurrence — the last IR phase.
Must occur for every significant incident. Outputs: root cause, detection gap analysis, control improvements, policy updates, training needs. Blameless post-mortems produce better results — focus on systems and processes, not individuals. Track improvement actions to completion.