INC-003 Incident Classification and Escalation
Description
Incidents are classified by severity and type using a defined taxonomy. Classification determines escalation paths, notification requirements, and response SLAs. Criteria for classifying an event as a data breach or high-severity incident are documented and consistently applied.
Rationale
Consistent classification ensures the right people are notified at the right speed. Misclassification — particularly under-classification — is a major cause of delayed response and regulatory exposure.
Framework Mappings (3)
| SEF-07 | Incident Management and Response | partial |
| IR-4 | Incident Handling | partial |
| IR-6 | Incident Reporting | partial |
Evidence (2)
Incident classification policy defining the severity taxonomy, classification criteria, escalation triggers, and response SLAs for each severity level.
Example: Incident Classification Matrix or IRP appendix (version-controlled) defining severity levels (e.g., P1–P4), classification criteria, data breach determination criteria, escalation requirements, and response SLA per level
Test: Request the incident classification policy or matrix. Verify: (1) severity levels are defined with explicit criteria; (2) data breach classification criteria are documented and consistent with GDPR Art.33 triggers; (3) each severity level has a defined escalation path and response SLA; (4) the matrix is referenced in the IRP and training materials.
Sample incident records showing consistent application of the classification taxonomy including severity assignment and escalation decisions.
Example: Incident records from the past 12 months (at least 5 incidents across severity levels) showing event type, initial classification, escalation actions taken, and any reclassification with rationale
Test: Request a sample of incident records from the last 12 months spanning multiple severity levels. Verify: (1) each incident record shows a severity classification; (2) classification is consistent with the documented criteria; (3) escalation actions match the requirements for the assigned severity level; (4) any reclassifications are documented with a rationale.
Questions (2)
Are incidents classified by severity and type using a defined taxonomy, with classification criteria documented and consistently applied to determine escalation paths, notification requirements, and response SLAs?
The classification matrix should explicitly include criteria for identifying a personal data breach (triggering GDPR notification obligations) and should be referenced in all incident triage processes.
How many severity levels are defined in your incident classification taxonomy?
Four distinct severity levels with explicit classification criteria and SLAs per level is the expected standard for enterprise SaaS providers. Fewer levels reduce classification precision.