What is the difference between 'investigation' and 'analysis' in incident handling?

• A. Investigation gathers facts; analysis identifies causes and root causes to prevent recurrence.
• B. Investigation assigns blame; analysis documents procedures.
• C. Investigation prevents recurrence; analysis closes the incident.
• D. Investigation is for safety drills; analysis is for maintenance.

Answer: (A)

In incident handling, the important distinction is between collecting factual evidence and determining why the incident happened to prevent it from recurring. Investigation is about gathering the facts: what happened, when, which systems were affected, who reported it, and the sequence of events with any logs or evidence. Analysis takes those facts and asks why it happened, identifying root causes and contributing factors, then recommending corrective actions to stop it from happening again.

For example, after a server outage, investigators would compile the logs and timelines to describe exactly what occurred. Analysts would then examine those findings to uncover root causes—such as a lack of redundancy or a faulty configuration—and propose fixes like adding redundancy or updating procedures. The other options misplace responsibilities: assigning blame isn’t the goal of a professional investigation, purely documenting procedures isn’t the main purpose of analysis, and preventing recurrence is an outcome of the analysis, not the initial fact-gathering step.