The organization must define the threshold at which a security incident becomes a cyber security breach.
The organization has defined metrics that can be monitored and are related to cyber security incident management. At its best, good metrics help detect weaknesses in incident detection.
Possible metrics include:
The organization shall define procedures for clearly sorting detected security events. Sorting must enable the prioritizing of events according to severity and potential impact.
Sorting is intended to enhance the investigation and evaluation of security events so that, for example, a response to a disruption can be initiated quickly.
Procedures can consist of common processes, technical tools, or algorithms that utilize machine learning. Procedures need to be reviewed regularly to ensure that they work and are appropriate for their needs.