Skip to content
AuditFront
A.5.25 ISO 27001

ISO 27001 A.5.25: Assessment and decision on information security events

What This Control Requires

The organization shall assess information security events and decide if they are to be categorized as information security incidents.

In Plain Language

Your SIEM fires thousands of alerts. A user reports a suspicious email. A server behaves oddly. Not everything is an incident, but you need a consistent way to figure out which ones are - and you need to figure it out quickly. This control is about the triage process. When a security event is detected, it needs to be evaluated against clear criteria: what happened, what is the scope, what systems and data are affected, what is the potential business impact? Based on that assessment, you decide whether to escalate it as an incident or close it out. Getting this right matters because classifying something as an incident triggers your response procedures, escalation paths, and potentially regulatory notification obligations. The criteria need to be clear and understood by everyone doing triage, so you get consistent decisions regardless of who is on shift.

How to Implement

Create clear assessment and classification criteria. Build a decision tree or flowchart that guides analysts through triage. Consider: type of event (unauthorised access, malware, data exposure), scope and scale, affected systems and data, potential business impact, and evidence of malicious intent. Centralise event collection and assessment. Use a SIEM to aggregate events from across your environment. Designate a SOC team or specific analysts responsible for initial triage. Define how quickly events at different severity levels need to be assessed. Build a classification matrix that maps event characteristics to incident severity levels. For each severity, define who gets notified, what response actions are required, and what timeframes apply. Make sure this aligns with your incident response plan and regulatory obligations. Train everyone involved in triage on the criteria and decision-making process. Run regular calibration exercises where the team reviews sample events and discusses how they would classify them. This builds consistency. Document all classification decisions and the reasoning behind them - auditors will want to see this. Close the feedback loop. If events are consistently misclassified or missed, update your detection rules, assessment criteria, and training. Use post-incident reviews to check whether initial triage was accurate and timely.

Evidence Your Auditor Will Request

  • Documented event assessment and classification criteria
  • Event triage workflow or decision tree documentation
  • Records of event assessments and classification decisions
  • SIEM or event management system showing event processing workflow
  • Training records for personnel involved in event assessment

Common Mistakes

  • No defined criteria for distinguishing between events and incidents
  • Events are assessed inconsistently by different team members
  • Alert fatigue leads to events not being assessed in a timely manner
  • Low-severity events that should escalate to incidents are missed or ignored
  • Classification decisions and rationale are not documented for audit purposes

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC7.2 Related
SOC 2 CC7.3 Related
GDPR Art.33 Partial overlap
NIS2 Art.23 Partial overlap

Frequently Asked Questions

How do we manage alert fatigue in event assessment?
Alert fatigue is real and it kills your detection capability. Tune detection rules aggressively to cut false positives. Tier your alerts so not everything needs the same level of attention. Automate initial triage for common low-risk events. Use correlation rules to consolidate related alerts into a single case. Make sure you have enough people for the volume. And regularly retire noisy alerts that are not giving you actionable intelligence - an alert nobody reads is worse than no alert at all.
Who should make the decision to classify an event as an incident?
Trained security analysts should handle initial classification using your defined criteria. For significant incidents, the incident manager or security team lead should confirm the call. Set up clear escalation paths for borderline cases so analysts are not stuck guessing. Ideally, your criteria are clear enough that most decisions do not need escalation - if analysts are constantly asking for guidance, your criteria need work.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment