Triage SLA per severity
Demonstrate that the organization maintains documented triage SLAs mapped to incident severity levels and consistently meets or escalates incidents within the defined timeframes.
Description
What this control does
This control establishes and enforces service level agreements (SLAs) that define maximum response and remediation timeframes for security incidents based on their severity classification (e.g., Critical, High, Medium, Low). Automated ticketing systems route incidents to appropriate teams and trigger escalations when SLA thresholds are approaching or breached. This control ensures high-risk incidents receive immediate attention while lower-severity events are addressed within appropriate timeframes, preventing resource exhaustion and uncontrolled exposure windows.
Control objective
What auditing this proves
Demonstrate that the organization maintains documented triage SLAs mapped to incident severity levels and consistently meets or escalates incidents within the defined timeframes.
Associated risks
Risks this control addresses
- Critical incidents remain unaddressed for extended periods, allowing attackers to achieve persistence, exfiltrate data, or expand lateral movement
- High-severity vulnerabilities are not patched within exploitability windows, enabling zero-day or known-exploit attacks
- Security analysts waste time on low-priority alerts while critical threats go unnoticed due to lack of prioritization
- Incident response team misses regulatory breach notification deadlines due to slow triage, resulting in fines and legal liability
- Resource-intensive attacks (ransomware, DDoS) continue unchecked because no one is responsible for immediate response within defined timeframes
- Security metrics become unreliable when incidents languish in queues, masking true response capability and hindering continuous improvement
- Stakeholder trust erodes when business-critical systems remain compromised longer than promised in security commitments or contracts
Testing procedure
How an auditor verifies this control
- Obtain the documented triage SLA policy that defines severity classifications (Critical, High, Medium, Low) and corresponding maximum response and remediation timeframes.
- Review the incident classification matrix or playbook to verify criteria used to assign severity levels align with organizational risk appetite and asset criticality.
- Interview incident response personnel to confirm they understand SLA requirements and escalation procedures for approaching or breached timeframes.
- Export incident ticket data from the security information and event management (SIEM) or ticketing system covering the most recent 90-day period, including incident ID, severity, creation timestamp, first response timestamp, and closure timestamp.
- Calculate the delta between incident creation and first response for a stratified random sample of at least 30 incidents across all severity levels, comparing actual performance against documented SLAs.
- Identify any SLA breaches in the sample and review associated escalation records, management notifications, or exception approvals to verify the organization followed documented procedures.
- Test automated alerting by reviewing configuration of SLA threshold notifications in the ticketing system to confirm alerts trigger at 50%, 75%, and 90% of SLA expiration.
- Review management dashboards or reports showing SLA compliance rates by severity level to verify leadership receives visibility into triage performance and trends.
Where this control is tested