AuditRubric
rs-ma-4 high Respond / Incident Management

Escalate or elevate incidents as needed

Some incidents exceed the authority, expertise, or resources of the initial responders. Escalation ensures that higher-level management, legal counsel, law enforcement, or specialized technical teams are brought in at the right moment. Delayed escalation is one of the most common failure modes in incident response, and it often turns a containable breach into a much larger event. Clear escalation criteria remove the guesswork and empower responders to pull the right people in without hesitation.

Estimated effort: 2h
escalationseverityleadershiplegal
Complete first: rs-ma-3

Implementation steps

  1. 1

    Define escalation triggers and thresholds

    Document the specific conditions that require escalation: severity level, data types involved, affected system criticality, regulatory implications, or time elapsed without containment. Assign each trigger to the appropriate escalation path.

    confluencenotiongoogle-docs
  2. 2

    Execute escalation to leadership, legal, or specialized teams

    When escalation criteria are met, notify the designated escalation contact. This may include the CISO, executive leadership, in-house or outside legal counsel, law enforcement, or a specialized IR firm. Document the notification in the incident record.

    pagerdutyslackemailopsgenie
  3. 3

    Hand off context and maintain continuity

    Provide escalation recipients with a concise situation report covering incident type, current scope, actions taken so far, and open questions. Confirm the hand-off is acknowledged and that the original responders remain available to support.

    jiraservicenowconfluencezoom

Evidence required

Escalation records in incident tickets

Documentation showing when escalation occurred, who was notified, and what information was shared.

  • · Jira or ServiceNow ticket comments recording escalation actions and timestamps
  • · PagerDuty escalation policy logs showing higher-tier notifications
  • · Email or Slack thread with CISO or legal counsel notification

Documented escalation criteria and contact matrix

A written policy or playbook section that defines when and how to escalate, including contact names and roles.

  • · IR plan escalation matrix listing triggers, contacts, and SLAs
  • · RACI chart covering escalation responsibilities by incident type
  • · PagerDuty escalation policy configuration

Related controls

rs-ma-3 high

Categorize and prioritize incidents

Incident Management
de-ae-8 high

Incidents are declared when adverse events meet the defined criteria

Adverse Event Analysis
rs-ma-1 critical

Execute the incident response plan in coordination with relevant third parties

Incident Management
rs-ma-2 critical

Triage and validate incident reports

Incident Management