--- title: "ISO/IEC 27035 Severity Classification FAQ" canonical_url: "https://www.sorena.io/artifacts/global/iso-27035/faq/severity-classification" source_url: "https://www.sorena.io/artifacts/global/iso-27035/faq/severity-classification" author: "Sorena AI" description: "How should teams handle Severity Classification under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ISO/IEC 27035 Severity Classification FAQ" - "Severity Classification ISO/IEC 27035" - "ISO/IEC 27035 evidence" - "ISO/IEC 27035 implementation" - "ISO/IEC 27035" - "ISO/IEC 27035 Information Security Incident Management" - "ISO/IEC 27035 FAQ: Severity Classification" - "FAQ" - "global compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO/IEC 27035 Severity Classification FAQ How should teams handle Severity Classification under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. *FAQ* *Global* *ISO/IEC 27035* ## ISO/IEC 27035 FAQ Severity Classification How should teams handle Severity Classification under ISO/IEC 27035 Information Security Incident Management? Grounded in external ISO, NIST, EU, or framework sources where relevant. This is practical implementation guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. This FAQ for Severity Classification explains how to judge incident severity using repeatable criteria such as asset criticality, functional impact, data impact, stage of activity, threat actor characterization, and recoverability. ## How should teams handle Severity Classification under ISO/IEC 27035? Start with a simple scoring approach: classify the incident by how much it affects critical services, sensitive data, operational continuity, and the organization's ability to recover quickly. Use the same factors every time so similar incidents get similar treatment. NIST SP 800-61r3 points incident teams to risk evaluation factors such as asset criticality, functional impact, data impact, stage of observed activity, threat actor characterization, and recoverability when prioritizing incidents and deciding when to escalate or elevate response activities. A practical rule is that higher severity usually means broader business impact, more urgent response, more difficult recovery, or a greater likelihood that the activity will spread, persist, or cause regulatory, legal, or customer-notification consequences. Lower severity usually means the event is limited in scope, easier to contain, and unlikely to affect critical services or sensitive data. - Classify severity using consistent factors such as asset criticality, functional impact, data impact, stage of activity, threat actor characterization, and recoverability. - Treat incidents as more severe when they affect critical services, sensitive data, or time-sensitive operations, or when containment and recovery are difficult. - Escalate when the severity level changes the urgency, resourcing, communications, legal review, or recovery decision. - Document the severity rationale so reviewers can see why the incident was placed in that level rather than a lower or higher one. Sources for this answer: - [NIST SP 800-61r3](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - NIST says incident triage, prioritization, escalation, and elevation should be based on risk evaluation factors. - [NIST SP 800-61r3](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - The publication gives examples of risk evaluation factors that can be used for severity decisions. - [NIST SP 800-61r3](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - The incident report should be checked to estimate severity and urgency. ## What evidence should prove Severity Classification is current under ISO/IEC 27035? The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and retained logs. Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer. - Use source records from the system of work, not screenshots created only for audit day. - Keep exceptions visible as risk acceptance, corrective action, or management-review input. - Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date. Sources for this answer: - [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning and lessons-learned practices that keep severity criteria and escalation paths reviewable. - [ISO/IEC 27035-3:2020 standard page](https://www.iso.org/standard/74033.html?ref=sorena.io) - ISO/IEC 27035-3 supports ICT incident-response operations where severity classification guides triage and response coordination. ## Who should approve Severity Classification decisions under ISO/IEC 27035? The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions. For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant. - Use a named owner, named backup, and named escalation forum. - Separate preparation work from risk acceptance and final approval. - Keep approval records with the evidence rather than in disconnected email threads. Sources for this answer: - [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 defines the incident-management process context for assessing incidents, which supports severity classification and escalation decisions. - [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning and lessons-learned practices that keep severity criteria and escalation paths reviewable. ## When should Severity Classification be reviewed under ISO/IEC 27035? Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes. A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page. - Set a planned review date and a change-trigger rule. - Use findings to update controls, procedures, contracts, risk registers, or training. - Carry unresolved items into management review or risk acceptance. Sources for this answer: - [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 defines the incident-management process context for assessing incidents, which supports severity classification and escalation decisions. - [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning and lessons-learned practices that keep severity criteria and escalation paths reviewable. ## Primary sources - [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 defines the incident-management process context for assessing incidents, which supports severity classification and escalation decisions. - Quote: "preparing for, detecting, reporting, assessing, and responding to incidents" - [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning and lessons-learned practices that keep severity criteria and escalation paths reviewable. - Quote: "plan and prepare for incident response and to learn lessons" - [ISO/IEC 27035-3:2020 standard page](https://www.iso.org/standard/74033.html?ref=sorena.io) - ISO/IEC 27035-3 supports ICT incident-response operations where severity classification guides triage and response coordination. - Quote: "information security incident response in ICT security operations" ## Topic Guides - [ISO/IEC 27035 Compliance Guide](/artifacts/global/iso-27035/compliance.md): ISO/IEC 27035 Compliance for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 CSIRT Roles FAQ](/artifacts/global/iso-27035/faq/csirt-roles.md): How should teams handle CSIRT Roles under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27035 Escalation FAQ](/artifacts/global/iso-27035/faq/escalation.md): How should teams handle Escalation under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27035 Event vs Incident FAQ](/artifacts/global/iso-27035/faq/event-vs-incident.md): How should teams distinguish a security event from an information security incident under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27035 Evidence Log Template and Workflow](/artifacts/global/iso-27035/evidence-log-template.md): ISO/IEC 27035 Evidence Log Template for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Incident Lifecycle Guide](/artifacts/global/iso-27035/incident-lifecycle.md): ISO/IEC 27035 Incident Lifecycle for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Incident Lifecycle Workflow](/artifacts/global/iso-27035/incident-lifecycle-workflow.md): ISO/IEC 27035 Incident Lifecycle Workflow for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Incident Management FAQ](/artifacts/global/iso-27035/faq.md): ISO/IEC 27035 FAQ for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Incident Response Playbook](/artifacts/global/iso-27035/incident-response-playbook.md): ISO/IEC 27035 Incident Response Playbook for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Incident Severity and Escalation Matrix](/artifacts/global/iso-27035/incident-severity-and-escalation-matrix.md): ISO/IEC 27035 Incident Severity and Escalation Matrix for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Incident Timer Workflow Template and Workflow](/artifacts/global/iso-27035/incident-timer-workflow.md): ISO/IEC 27035 Incident Timer Workflow for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Lessons Learned FAQ](/artifacts/global/iso-27035/faq/lessons-learned.md): How should teams handle Lessons Learned under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27035 Notification Evidence FAQ](/artifacts/global/iso-27035/faq/notification-evidence.md): How should teams handle Notification Evidence under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27035 Notification Threshold Mapping Guide](/artifacts/global/iso-27035/notification-threshold-mapping.md): ISO/IEC 27035 Notification Threshold Mapping for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 Post Incident Review FAQ](/artifacts/global/iso-27035/faq/post-incident-review.md): How should teams handle Post Incident Review under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27035 Retained Logs FAQ](/artifacts/global/iso-27035/faq/retained-logs.md): How should teams handle Retained Logs under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27035 vs ISO 22301 Comparison](/artifacts/global/iso-27035/iso-27035-vs-iso-22301.md): ISO/IEC 27035 vs ISO 22301 for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 vs NIS2 Comparison](/artifacts/global/iso-27035/iso-27035-vs-nis2.md): ISO/IEC 27035 vs NIS2 for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 vs NIST SP 800-61 Comparison](/artifacts/global/iso-27035/iso-27035-vs-nist-800-61.md): ISO/IEC 27035 vs NIST SP 800-61 for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. - [ISO/IEC 27035 vs NIST SP 800-61 Rev. 3 Comparison](/artifacts/global/iso-27035/iso-27035-vs-nist-800-61r3.md): ISO/IEC 27035 vs NIST SP 800-61 Rev. 3 for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. *Recommended next step* *Placement: after implementation guidance* ## Operationalize ISO/IEC 27035 FAQ: Severity Classification This page moves ISO/IEC 27035 guidance into an auditable operating loop with owners, evidence requests, decision records, and scheduled review dates. - [Open Assessment Autopilot for ISO/IEC 27035](/solutions/assessment.md): Convert ISO/IEC 27035 FAQ: Severity Classification into accountable tasks, evidence requests, and review checkpoints. - [Talk through implementation](/contact.md): Review your current scope, evidence gaps, and next implementation steps. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-27035/faq/severity-classification