ISO 27001 Annex A 5.25

Quick assessment turns a flood of alerts into a manageable response.

ISO 27001 Annex A 5.25 - Assessment and Decision on Information Security Events

Not every event is an incident. A failed login attempt is an event. A laptop left on a train is an event. A flagged phishing email is an event. Some of these escalate to incidents and some do not. The control is about the triage step - assessing the event, deciding what category it falls into, and routing it to the right response.

The decision needs criteria. Without defined criteria, the call between event and incident becomes subjective and inconsistent. Typical criteria include actual or potential impact on confidentiality, integrity or availability, the type of information involved, the systems affected, the regulatory implications and whether the event indicates a wider attack pattern.

The triage role needs authority and competence. The person making the call has to be able to read the technical and contextual signals, ask the right follow-up questions and make a defensible decision under time pressure. Most organisations vest this in the Information Security Lead with backup arrangements for cover.

I will sample the event log during an audit and ask how each event was assessed and what the decision was. If the same kind of event has been triaged differently on different days, that is a sign the criteria are not clear or are not being applied consistently. If the criteria are documented and the triage decisions match them, the control is in place.

Practical Compliance Guidance

Event assessment and triage forms part of the incident management process described in the IMS1 manual at section 8.2. The incident form is used to record events that progress to incidents and the rationale for the triage decision.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-Q109 Information Security Incident	The incident form. Use this to capture the event, the triage decision, the criteria applied and the outcome - whether it progressed to a formal incident or was closed at event level.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What criteria distinguish an event from an incident?

Typical criteria include actual or likely compromise of information, impact on system availability, regulatory implications such as a personal data breach, evidence of malicious activity, or a pattern that suggests a broader attack. The criteria should be documented in the incident management procedure so triage is consistent.

Should events that did not become incidents still be recorded?

Yes, at least at summary level. Patterns of low-level events can indicate emerging risks that would otherwise go unnoticed. The level of detail can be lighter than for a full incident, but a record that the event happened and was triaged is useful both for trend analysis and for audit evidence.

What if an event is triaged as low risk but later turns out to be serious?

The triage decision can be revisited at any time as new information comes to light. The original decision should not be hidden or rewritten - the record should show the initial assessment, the new information that changed the picture, and the revised classification. This is part of the learning loop under A.5.27.

Further Resources