5.25 Assessment and Decision on Information Security Events

The organisation should assess information security events and decide if they should be categorised as information security incidents.

Defining and understanding the incident's nature and identifying the boundaries are essential. This ensures the list of incidents identified by an organisation is within the scope, and the organisation can manage the identified incident in case of occurrence.

5.25 could be best implemented by creating a list of incidents. Nonetheless, an organisation should be cautious that an overwhelming list exceeding the scope of the business would undoubtedly exhaust human, financial, and technical resources. Reasonably, considering everything as an incident means the company needs to design and implement security countermeasures for all those incidents registered in the list. It might seem like a good practice, but in the long run, the organisation has been paying for numerous roles within the company and expending vast sums of money to protect against an incident that might never happen. On the other hand, many organisations are victims of information security incidents due to underestimating the genuine attack addressing the nature of their business. For instance, small businesses might neglect the fact that despite the company's size, they certainly have valuable information to protect. This negligence primarily causes businesses to overlook the threat to their business. Thus, when an incident occurs, there is significantly less or no readiness to manage the incident within the organisation.