Criteria for declaring cybersecurity incidents are established, at least in an ad hoc manner
Context and Guidance: Criteria for declaring cybersecurity incidents are used to determine whether an event should be treated as an incident and the potential severity of the event. A ranking scale, such as high, medium, and low, may help to communicate incident severity to stakeholders and aid in prioritising response actions to be taken.
Incident declaration criteria should be developed from experience and may partially be derived from risk evaluation criteria (such as impact thresholds) established as part of Risk Management domain activities. Criteria might be based on the type of event (such as unauthorised access), level of impact (e.g., local versus organisation-wide), type of impact (internal systems versus critical external services), compliance obligations (internal-only versus reportable event), or mean time to recovery. For some events, the time between event detection and incident declaration may be immediate, requiring little additional analysis. In other cases, the organisation may wish to leverage previously developed criteria to help guide incident declaration.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RESPONSE-2a, RESPONSE-2c, RESPONSE-2e, RESPONSE-2h.