Assessment and decision on information security events
Evaluate security events to determine which are serious enough to be called incidents.
Plain language
This control is about figuring out if a security problem is just a minor hiccup or a real incident that needs immediate attention. If it's not done, small issues might be ignored until they grow into big, costly problems like data breaches.
Framework
ISO/IEC 27001:2022
Control effect
Detective
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
The organization shall assess information security events and decide if they are to be categorized as information security incidents.
Why it matters
If security events are not assessed and categorised promptly, true incidents may be missed, delaying containment and increasing business impact.
Operational notes
Define event triage criteria and decision thresholds for incident categorisation; train responders and review samples to ensure consistent classification.
Implementation tips
- The IT Manager should lead the assessment of security events by using an agreed-upon checklist or guide. They can develop this checklist based on the organisation's policies and applicable standards such as ISO 27002:2022.
- Designate a response team to decide which security events are incidents. Team members should meet regularly to review and discuss events, look for patterns, and apply criteria often outlined by Australian regulations like the Privacy Act 1988.
- Provide training for staff to recognise potential security events. The training, run by HR or the IT team, should include examples of incidents and ensure staff know who to report issues to and how.
- Ensure all IT systems log events automatically. The IT team should configure systems to generate logs that capture relevant details to help assess whether an event could be an incident, as guided by ISO 27002:2022.
- Maintain a record of past incidents and how they were resolved. This should be done by the security team to refine the assessment process over time and meet any audit requirements, such as those from regulatory bodies like APRA under standard CPS 234.
Audit / evidence tips
-
Askthe organisation's incident response policy
-
Askto see recent incident logs and reports
Goodreport will clearly distinguish between minor events and full incidents
-
Askhow staff are informed of the reporting process
Goodtraining program will have evidence of employee participation and understanding of event reporting procedures
-
Askevidence of periodic reviews of the event assessment process
-
Askexamples of past recorded incidents
Cross-framework mappings
How Annex A 5.25 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (4) expand_less | ||
| extension Depends on (2) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| ISM-0043 | Annex A 5.25 requires the organisation to assess information security events and decide whether they are incidents | |
| ISM-1784 | ISM-1784 requires the organisation to exercise its incident management policy and incident response plan annually | |
| link Related (1) expand_less | ||
| ISM-1228 | ISM-1228 requires cyber security events to be analysed in a timely manner to identify cyber security incidents | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.