CIS Control 17.9: Establish and Maintain Security Incident Thresholds
Distinguishing between security events and actual incidents is foundational to effective incident response. CIS Control 17.9 requires you to define clear thresholds that separate routine security activity from genuine threats, ensuring your team responds proportionally and your compliance program stays audit-ready.
What this means
This control requires organizations to create and document security incident thresholds that clearly differentiate between a security event (detected activity) and a security incident (an event that triggers investigation and response). You must define what constitutes a major incident separately, establish criteria for each classification, and review these definitions annually or whenever significant enterprise changes occur—such as infrastructure expansions, business unit mergers, or shifts in risk profile.
How to comply
- 1.Document definitions distinguishing between security events and security incidents specific to your environment
- 2.Define major incident criteria (e.g., data exposure scope, system downtime, regulatory impact)
- 3.Create a decision tree or classification matrix for triage personnel to apply consistently
- 4.Establish threshold metrics (e.g., number of failed logins, data volume, affected users) tied to incident severity levels
- 5.Communicate thresholds to all incident response stakeholders and train them on application
- 6.Review and update thresholds annually and after any significant business or infrastructure changes
- 7.Document all reviews with dates and stakeholder sign-off
Evidence auditors look for
- Incident classification policy document with event vs. incident definitions
- Major incident definition with specific criteria and examples
- Incident response triage checklist referencing threshold metrics
- Annual review memo documenting threshold assessment and any updates
- Training records showing incident response team certification on thresholds
- Incident logs demonstrating consistent application of thresholds over time
- Change log tracking threshold modifications linked to business changes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch lets you document incident thresholds once, version them automatically on annual reviews, and log every threshold application across your incident records—eliminating spreadsheet drift and audit friction when assessors ask what constitutes an incident in your organization.
See how GRCWatch handles this control automatically
Start free trial