Are the criteria for declaring a major incident written down (so the call is consistent across responders and shifts)?
Demonstrate that the organization maintains documented, unambiguous criteria for major incident classification that are accessible to all incident response personnel and applied consistently across shifts and response teams.
Description
What this control does
This control requires that the organization document explicit, measurable criteria for escalating an incident to 'major' status. Written thresholds—such as affected user count, data volume, system criticality, geographic scope, or potential regulatory impact—ensure that incident responders, regardless of shift or seniority, apply consistent logic when deciding whether to invoke major incident response procedures. Without documented criteria, declaration becomes subjective, leading to under-escalation of serious events or over-escalation of routine issues, both of which waste resources and delay appropriate response.
Control objective
What auditing this proves
Demonstrate that the organization maintains documented, unambiguous criteria for major incident classification that are accessible to all incident response personnel and applied consistently across shifts and response teams.
Associated risks
Risks this control addresses
- Delayed escalation of critical incidents due to subjective or inconsistent interpretation of severity by on-call responders
- Under-allocation of resources and executive attention during events that meet major incident thresholds but are not recognized as such
- Over-escalation of minor incidents, causing alert fatigue, executive desensitization, and inefficient use of specialized response resources
- Inconsistent invocation of communication protocols, legal holds, and regulatory notification obligations tied to major incident triggers
- Lack of accountability and post-incident learning when escalation decisions vary by responder personality or experience rather than objective criteria
- Failure to meet contractual SLA commitments or regulatory timelines for breach notification due to unclear triggering conditions
- Erosion of trust in the incident response program when stakeholders perceive arbitrary or unfair escalation decisions
Testing procedure
How an auditor verifies this control
- Request the current version of the incident response plan, standard operating procedures, or runbook that defines incident severity classifications.
- Identify and extract the section that enumerates the criteria for declaring a major incident, including quantitative thresholds, qualitative indicators, and any decision trees or flowcharts.
- Verify that criteria are explicit and measurable, such as number of affected users, revenue impact, data record count, system tier, geographic reach, or regulatory trigger conditions.
- Interview at least three incident responders from different shifts or teams to confirm they can locate the documented criteria and understand how to apply them.
- Review a sample of 5-10 incident tickets from the past 12 months, including both major and non-major classifications, and map each escalation decision to the documented criteria.
- Check for evidence that the criteria are version-controlled, reviewed periodically, and communicated during onboarding or tabletop exercises.
- Request evidence of any escalation disputes or ambiguous calls in the past year and assess whether they resulted in updates to the written criteria.
- Confirm that the criteria document is accessible in the incident management system, wiki, or knowledge base used by on-call personnel during active response.