NIST DE.AE-4: Event Impact Determination
Security events happen—but do you know their real impact? DE.AE-4 requires your organization to systematically determine how incidents affect systems, data, and operations. This control bridges detection and response by ensuring every event gets a proper severity assessment before your team acts.
What this means
Event Impact Determination means establishing and executing a process to evaluate the severity and scope of security incidents as they're detected. Rather than treating all alerts equally, this control requires you to classify events by their actual or potential harm to confidentiality, integrity, availability, and business operations. You need documented criteria for impact levels, clear escalation thresholds, and a methodology to assess both immediate and downstream consequences.
How to comply
- 1.Define impact severity levels (critical, high, medium, low) based on affected assets, data sensitivity, and business function criticality
- 2.Establish impact assessment criteria covering system availability, data confidentiality, data integrity, and regulatory/compliance implications
- 3.Create a standardized event classification process that maps detected events to impact levels within defined timeframes
- 4.Document the scope of each event—which systems, users, data repositories, or processes are affected
- 5.Assess business impact beyond IT metrics, including revenue loss, customer impact, and compliance violations
- 6.Define escalation procedures linked to impact levels to trigger appropriate response teams and executive notification
- 7.Maintain an incident log recording event details, impact assessment, and outcomes for trending and improvement
- 8.Review and update impact assessment criteria quarterly based on threat landscape changes and lessons learned
Evidence auditors look for
- Impact determination matrix showing severity levels tied to specific asset/data types and business functions
- Event classification procedure document with decision trees for impact level assignment
- Incident response playbooks keyed to impact levels with different escalation and response timelines
- Security incident logs showing detected events with assigned impact levels and supporting rationale
- Post-incident reports documenting actual vs. assessed impact and lessons for future assessments
- Alert tuning documentation showing how detection thresholds align with impact determination criteria
- Audit records confirming timely impact assessment for sampled security events
- Training records for SOC/security team on impact assessment methodology and severity criteria
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates event impact scoring by mapping detected incidents against your asset inventory and data classifications, eliminating manual severity debates and ensuring consistent triage every time.
See how GRCWatch handles this control automatically
Start free trial