AuditRubric
rs-ma-3 high Respond / Incident Management

Categorize and prioritize incidents

Confirmed incidents are not all equal. A phishing email caught before a click is very different from active ransomware on a production server. Categorization applies consistent labels to incident types so that the right playbooks and personnel are engaged. Prioritization ensures that limited response resources are directed to the highest-impact threats first, rather than being spread thin or applied in the wrong order.

Estimated effort: 2h
incident-categorizationseverityprioritization
Complete first: rs-ma-2

Implementation steps

  1. 1

    Apply an incident type taxonomy

    Classify the confirmed incident using a predefined taxonomy, such as malware, unauthorized access, data exfiltration, denial of service, or insider threat. The category determines which playbook and response team are engaged.

    jiraservicenowconfluence
  2. 2

    Assign a severity or priority level

    Score the incident using a defined severity matrix that accounts for business impact, data sensitivity, affected system criticality, and estimated scope. Assign a priority level such as P1 through P4 with matching response time SLAs.

    jiraservicenowpagerduty
  3. 3

    Route the incident to the appropriate response team and playbook

    Based on category and priority, assign the incident to the correct team lead and link the relevant response playbook. Notify stakeholders matching the incident's escalation matrix.

    pagerdutyopsgenieslackjira

Evidence required

Incident category and severity records

Incident tickets showing category type and severity level assigned for each confirmed incident.

  • · Jira or ServiceNow incident fields: incident type, severity, priority
  • · SIEM alert classifications mapped to incident categories
  • · SOC runbook with severity rating examples

Severity classification matrix

A documented framework defining how incident type and business impact map to severity levels and response SLAs.

  • · Incident severity matrix in the IR plan or playbook
  • · Confluence page with P1-P4 definitions and examples
  • · ServiceNow SLA configuration tied to incident priority fields

Related controls

rs-ma-4 high

Escalate or elevate incidents as needed

Incident Management
rs-ma-1 critical

Execute the incident response plan in coordination with relevant third parties

Incident Management
rs-ma-2 critical

Triage and validate incident reports

Incident Management
rs-ma-5 high

Apply the criteria for initiating incident recovery

Incident Management