cism-d4-incident-management-incident-classification-and-categorization

Incident Classification and Categorization

isaca-cism · framework · Gold standard

Drawn fromCISM Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Incident Classification and Categorization

Incident Classification and Categorization is the systematic process of assigning security incidents to defined taxonomy dimensions — incident type, severity level, business impact category, and source — to enable consistent prioritization, appropriate resource allocation, and compliant regulatory response. It is a governance control, not merely an operational triage step: the classification taxonomy itself (who owns it, how it is structured, how it is maintained) is the primary CISM-level deliverable. Classification occurs at multiple points in the incident lifecycle — at initial report, after triage, and after investigation — and is updated as evidence changes.

Where it stops · what it isn't

—IS: A structured governance process for assigning multi-dimensional labels to confirmed or suspected security incidents to drive response decisions, regulatory compliance, and incident metrics.
—IS: Applicable to all incident types — technical (malware, unauthorized access) and non-technical (policy violations, physical breaches) — and applied throughout the incident lifecycle.
—IS NOT: Incident detection or alert triage. Classification begins after a potential incident is identified; it excludes the technical processes that find the incident in the first place.
—IS NOT: Incident investigation or forensic analysis. Classification informs investigation scope but is not the investigation itself.
—IS NOT: A one-time event. Initial classification is a hypothesis refined as investigation reveals new evidence.
—IS NOT: A purely technical function. The classification taxonomy is a governance artifact that must align with legal, compliance, business continuity, and executive communication requirements.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Incident Management Lifecycle (ISACA CISM Domain 4)

REQUIRES

Incident Management Overview (roles, lifecycle, governance foundations)

ENABLES

Incident Investigation and Evaluation (classification sets investigation scope and priority)Incident Eradication and Recovery (severity classification determines recovery resource allocation)Incident Communication and Escalation (classification drives notification timelines and stakeholder lists)Regulatory Breach Notification Compliance (GDPR Art. 33, HIPAA, PCI-DSS 12.10, SEC Cyber Rules)

RELATED TO

Incident Response Planning (plans define response actions per classification tier)

CONSTRAINS

Incident Metrics and Reporting (MTTR, false positive rates, and incident volume trends depend on classification consistency)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.