A.5.25 Assessment and Decision on Information Security Events

What is this control?

ISO 27001 control A.5.25 Assessment and Decision on Information Security Events ensures all security events logged in Microsoft Sentinel, Microsoft Defender XDR, or manually reported to the helpdesk are formally assessed by the CSIRT to determine their nature, impact, and severity. Events are formally classified as Security Incident, Security Event, Weakness, or False Positive and prioritised as High, Medium, or Low with appropriate escalation.

How to implement in Microsoft 365

Implement A.5.25 by defining a classification model in the IR plan covering Security Incident, Event, Weakness, and False Positive categories. Create a prioritisation matrix defining severity levels of High, Medium, and Low. Establish a formal assessment workflow in the helpdesk system requiring CISO or delegate review and classification.

Create a dedicated Microsoft Teams channel for CSIRT incident declarations and escalations. Implement automated escalation rules in the helpdesk for high-severity incidents. Document notification procedures for Management Review Board and Data Protection Officer.

Configure Power Automate workflows to trigger Teams notifications for high-severity classifications.

What an auditor looks for

Auditors will verify the IR plan defines assessment criteria and classification model with four classifications minimum. They will check the prioritisation matrix is documented with severity assessment approach. Auditors will review audit logs from the helpdesk showing historical incidents with formal classifications and priorities recorded.

They will check Microsoft Teams audit history showing high-severity incident declarations and notifications sent to management. Auditors will verify evidence of DPO notification for PII-related incidents.

Related controls

• A.5.24
• A.5.26