Incident Management: How It Works

A practical guide to incident management under ITIL – what an incident is, how the process works step by step, and how prioritisation and SLAs fit together.

Quick answer

Incident management is the ITIL process for restoring normal service as quickly as possible after an unplanned disruption or degradation of an IT service. It is not about finding the root cause – it is about limiting the impact on the business and getting users working again. Incident management is one of the core processes within ITSM.

Last updated June 2026.

What is incident management?

Incident management is the process for receiving, logging and resolving disruptions to IT services. An incident is anything that stops a service from working as it should – a system that is down, a login that fails, or a print job that will not go through.

The goal is simple but critical: restore service as quickly as possible and keep the impact on the business as small as you can. The lasting cause can wait – that is handled in problem management. When incident management works, you feel it straight away: shorter outages, fewer frustrated users, and an IT function that stays ahead instead of chasing.

Incident, problem and request – the difference

Three terms that are often confused, but that drive the work in very different ways:

  • Incident – a disruption happening right now. Something is not working, and the goal is to restore service.
  • Problem – the underlying root cause behind one or more incidents. Here you look for why it happens, so the fault does not recur.
  • Request – a planned order, such as new access rights, a phone or an account. Nothing is broken; someone wants something delivered.

Keeping them apart matters. If you treat every request as an urgent incident, routine orders eat up the time your real outages need.

The incident process step by step

A well-designed incident process follows the same path every time, regardless of who receives the ticket:

  1. Log – capture the incident with all the relevant details: who is affected, what happened and when. Everything is recorded in one place so nothing slips through the cracks.
  2. Categorise – sort the incident under the right service or area so it reaches the right team and stays searchable for the future.
  3. Prioritise – assess how urgent and how widespread the disruption is. The priority decides the order in which tickets are handled and which SLA applies.
  4. Escalate or resolve – handle the incident at first line where possible, otherwise escalate to the right specialist. Many tickets can be resolved straight away using known solutions in the knowledge base.
  5. Close and document – confirm with the user that the service is restored, close the ticket and document the solution. What you document today makes the next similar incident faster to resolve.

Prioritisation, SLAs and major incidents

Priority is usually set from two factors: how many people are affected (impact) and how urgent it is (urgency). A service that is down for the whole company outweighs a single issue for one user.

An SLA (Service Level Agreement) is the agreement that defines the time within which an incident should be responded to and resolved, often broken down by priority. The SLA makes expectations clear on both sides and gives you numbers to manage by.

A major incident is a serious, high-impact disruption – a critical system down, many users affected. It follows a separate, faster track with clear coordination and ongoing communication until the situation is under control.

An ITSM system like Freshservice supports the whole chain: automatic categorisation and prioritisation, SLA tracking with reminders, a knowledge base for quick solutions, and a dedicated track for major incidents. Scaly introduces the process and the tool tailored to your organisation.

Incident management in a nutshell

  • Incident management restores normal service as fast as possible – it does not find the root cause.
  • Distinguish incident (disruption now), problem (root cause) and request (an order).
  • The process is the same every time: log, categorise, prioritise, escalate/resolve, close.
  • Priority and SLA decide the order tickets are handled and the time they should be resolved in.
  • Major incidents follow their own faster track with clear coordination and communication.

Want to get your incident management in order?

We help Nordic IT organisations set up an incident process that holds up – with the right prioritisation, SLAs and a tool that supports the work instead of getting in the way.

Book a free reviewTake a free ITSM assessment

Frequently asked questions about incident management

What's the difference between an incident and a problem?
An incident is an ongoing disruption that should be resolved as fast as possible to restore service. A problem is the underlying root cause behind one or more incidents. Incident management puts out the fire; problem management makes sure it does not flare up again.
What is a major incident?
A major incident is a serious, high-impact disruption to the business – for example a critical system going down or many users affected at once. It is handled on a separate, faster track with clear coordination and ongoing communication until the service is restored.
What is an SLA in incident management?
An SLA (Service Level Agreement) is an agreement on the time within which an incident should be responded to and resolved, often broken down by priority. It makes expectations clear and gives IT measurable targets to manage the work by.
Which tool is right for incident management?
For most mid-sized Nordic organisations, Freshservice is a strong choice. It provides logging, categorisation, automatic prioritisation, SLA tracking and a dedicated major-incident track in one system. Scaly implements and tailors it in Swedish.