Question: Are incident-classification and severity levels defined with corresponding response timelines?

Why This Matters

Classification ensures proportional response and clear escalation. It prevents minor alerts from triggering crisis protocols and ensures major incidents get immediate attention.

Maturity

0 — Unaware
No formal classification; all incidents treated the same.

1 — Ad Hoc
Severity decided by whoever finds the issue.

2 — Defined
Categories (L1–L3) documented with basic criteria.

3 — Managed
Response SLAs defined and tracked.

4 — Integrated
Severity matrix aligned to business impact and regulations.

5 — Optimized
Automated classification via detection systems with risk context.

How to Level Up

From → To	Actions
0 → 1	List past incidents and assign severity manually.
1 → 2	Define L1–L3 criteria and publish matrix.
2 → 3	Set SLAs for acknowledge, contain, recover.
3 → 4	Align with impact values and DPDP notification rules.
4 → 5	Automate classification in SIEM/SOAR.

Enablers

People: IR manager, SOC lead, risk analyst.
Process: Classification matrix review each quarter.
Technology: Case management or SOAR tool.

Evidence

Severity matrix and SLA chart.
Recent incident reports showing classification.
Escalation logs.

KPIs

% of incidents classified correctly first time.
Response time vs SLA.
Reclassification rate.

Low-Cost / Open-Source Options (MSME)

Purpose	Tool	Notes
Matrix tracker	Wiki / Excel	Simple table.
Automation	n8n / SOAR Lite	Auto-assign severity.
Reporting	Metabase	Visual SLA breaches.

Common Pitfalls

No consistency between teams.
Severity inflation to get attention.
SLA metrics ignored.

Compliance Mapping

Standard	Clauses / Notes
ISO/IEC 27001:2022	A.5.24 (Incident Management)
CERT-In 2022	Section 29 (Incident Classification)
DPDP Act 2023	Sec 8 (Data Breach Severity Criteria)
NIST CSF 2.0	RS.AN / RS.MI
NIRMATA Mapping	IR-Q02 anchors incident categorization discipline.