GRCWatch
Sign inStart free trial

CC7.3: Security Event Evaluation

Security event evaluation is your first line of defense against incidents that could compromise your security objectives. CC7.3 requires you to systematically assess security events, determine whether they constitute actual incidents, and take corrective action. Without this control, you risk failing to detect breaches until they cause serious damage.

What this means

CC7.3 requires your organization to establish a process for evaluating security events to determine if they represent actual security incidents—events that have resulted in or could result in a failure to meet your security objectives. Once identified as incidents, you must take appropriate preventive or corrective actions. This control bridges event detection and incident response, ensuring that suspicious activity doesn't fall through the cracks.

How to comply

  1. 1.Define what constitutes a security event in your environment (e.g., failed login attempts, unusual data access, malware alerts)
  2. 2.Establish criteria to differentiate between routine events and actual security incidents
  3. 3.Document your security event evaluation process and assign responsibility for review
  4. 4.Implement tools or log reviews to capture and categorize events systematically
  5. 5.Create an incident classification system that determines severity and required response
  6. 6.Document each evaluation decision and the reasoning behind incident classifications
  7. 7.Take documented corrective or preventive actions for identified incidents
  8. 8.Review and update your evaluation criteria quarterly based on emerging threats

Evidence auditors look for

  • Security event evaluation policy or procedure document
  • Event classification matrix showing normal vs. incident-level events
  • Log management system or SIEM tool configuration
  • Incident tickets with evaluation notes and classification decisions
  • Monthly security event review reports
  • Corrective action records tied to identified incidents
  • Evidence of staff training on event evaluation procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates security event capture and classification by integrating with your logs and tools, then flags incidents for human review and automatically logs corrective actions—eliminating manual evaluation bottlenecks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CC6.1 — Logical Access ControlsCC7.2 — System Activity MonitoringCC7.4 — Incident RemediationCC9.2 — Incident Response Planning