# Incident Classification, Severity, and SLAs One-sentence definition: Categorize incidents and assign severity to drive response time and resources. ## Key Facts - Categories (malware, insider, data loss, DDoS, auth compromise). - Severity levels (P1–P4) map to SLAs for triage/response/comms. - Predefine notification chains (legal, exec, PR, privacy). - Review severities post-incident; adjust criteria as needed. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick consistent severity to avoid under/over-response. **Mnemonic:** “**Name it, rank it, act**.” ## Mini Scenario Q: Data exfil seen—who to notify? A: Privacy/legal immediately per P1 comms plan. ## Revision Checklist - Two category examples. - SLA concept. - Notification chain. ## Related [[Incident Response Lifecycle (NIST-Style)]] · [[Playbooks and SOAR Automation]] · [[Business Continuity Operations and Crisis Communications]] · [[Operational Metrics and KPIs (MTTD MTTR Coverage)]] · [[Security Operations Center (SOC) Fundamentals]] · [[Domain 7 - Index]]