Control 5.25 : Assessment and Decision on Information Security Events

Summary

The organization should assess information security events and decide whether they should be categorized as information security incidents. This triage process prevents the response team from being overwhelmed by false positives while ensuring critical threats are escalated.

Applicability

In-Scope: Critical for the efficiency of the security team. It ensures that every event is analyzed against a standard set of criteria to determine its severity and required response.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Incident Triage: Use Microsoft Sentinel incident classification to categorize alerts (e.g., True Positive, Benign Positive, False Positive) based on automated analysis.

• Playbooks: Implement Automation Rules to automatically close low-risk alerts, allowing the specialist to focus on events that require manual decision-making.

• Scoring: Utilize Microsoft Defender's incident scoring to prioritize events based on the sensitivity of the impacted assets or users.

Evidence Checklist

• Classification Criteria: A documented guide or rubric used to distinguish between an event and an incident.

• Incident Logs: Records of analyzed events showing the decision-making process for escalation or closure.

• Triage Records: Evidence showing that events are assessed within the timeframes defined in the organization's policy.

Practical Audit Advice

Here are some questions the auditor might ask:

• What criteria do you use to decide when a security event (like a blocked login attempt) becomes a formal security incident?

• How is the impact of an event on confidentiality, integrity, or availability assessed during the initial triage?

• Can you provide an example of an event that was analyzed and determined not to be an incident?

• Who is responsible for the final decision to escalate an event to the executive or legal level?