Incidents are declared when adverse events meet the defined criteria
The transition from 'adverse event under investigation' to 'declared incident' is a decision point with real consequences: it triggers the incident response plan, mobilizes resources, initiates notification timelines, and creates regulatory obligations. Organizations need clear criteria for when to make this declaration so that it happens at the right time: not so late that response is delayed, and not so early that the team is crying wolf over every alert.
Implementation steps
- 1
Define incident declaration criteria in your incident response policy
Document explicit criteria that trigger an incident declaration: confirmed data exfiltration, ransomware execution, unauthorized access to systems containing regulated data, prolonged availability outage affecting customers, compromised privileged account, or any event meeting specific severity thresholds. Criteria should be specific enough to be applied consistently by any on-call responder, not left to individual judgment. Review criteria annually.
confluencenotion - 2
Establish an incident declaration workflow
Define the mechanics of declaring an incident: who has authority to declare, what system is used to formally open the incident record, who must be notified upon declaration, and what resources are immediately mobilized. Automate as much of this as possible so that the act of declaring an incident automatically creates a dedicated Slack channel, opens a ticket, and pages the incident commander. Speed of mobilization matters.
pagerdutyjiralinearslackopsgenie - 3
Train responders on declaration criteria and practice through tabletop exercises
Incident declaration is a judgment call under pressure. Train all on-call responders on the declaration criteria so they can apply them consistently. Run tabletop exercises that include scenarios requiring declaration decisions: when in the scenario timeline should the responder have declared? Were declaration criteria met but declaration delayed? Tabletop exercises surface process gaps before a real incident exposes them.
confluence
Evidence required
Incident declaration criteria and policy
A documented policy defining the criteria for declaring a security incident.
- · Incident response policy with explicit incident declaration criteria
- · Severity classification matrix with declaration thresholds per tier
- · Runbook section defining the incident declaration workflow
Incident declaration records
Evidence that past incidents were declared in accordance with defined criteria.
- · Incident ticket history showing declaration timestamps and initiating events
- · Post-incident review noting whether declaration timing was appropriate
- · Tabletop exercise notes evaluating declaration decision-making
Related controls
Information on adverse events is provided to authorized staff and tools
Adverse Event Analysis
The estimated impact and scope of adverse events are understood
Adverse Event Analysis
A baseline of network operations and expected data flows is established and managed
Adverse Event Analysis
Potentially adverse events are analyzed to better understand associated activities
Adverse Event Analysis