ISO 27001 Control 5.25: Assessment and Decision on Information Security Events
Not every security event is an incident—but knowing the difference is critical. Control 5.25 requires your organization to systematically assess events and decide which ones warrant formal incident response. Getting this right protects your assets while avoiding alert fatigue.
What this means
This control mandates that your organization establish a clear process to evaluate information security events and determine whether they meet the threshold for classification as formal information security incidents. An event becomes an incident when it represents a confirmed breach of security, violation of policy, or threat to confidentiality, integrity, or availability. Your assessment must be documented and trigger appropriate response procedures when incidents are identified.
How to comply
- 1.Define what constitutes an 'information security event' in your organization with clear examples (failed login attempts, suspicious network traffic, policy violations)
- 2.Establish assessment criteria that determine whether an event meets the threshold for incident classification
- 3.Document your decision-making process for categorizing events, including who is authorized to make these determinations
- 4.Create a logging mechanism that records all assessed events and the rationale for inclusion or exclusion as incidents
- 5.Train relevant personnel (SOC, IT security, management) on the assessment criteria and decision framework
- 6.Regularly review assessment decisions to ensure consistency and refine criteria based on emerging threats
Evidence auditors look for
- Event assessment policy document with clear incident classification criteria
- Event logs showing assessed security events with decision rationale and timestamp
- Incident classification matrix defining event types and their incident threshold
- Meeting minutes from incident classification reviews or triage sessions
- Training records demonstrating staff understanding of assessment procedures
- Trend reports showing volume of assessed events vs. classified incidents
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates event-to-incident classification by learning your assessment criteria and flagging events that meet your incident thresholds in real-time, eliminating manual triage delays.
See how GRCWatch handles this control automatically
Start free trial