SM-08 Incident & Security Monitoring

Incident Management

IT incidents follow a consistent lifecycle.

Domain: Incident & Security Monitoring
Control type: Detective
Automated / manual: Manual
Frequency: Per event
Framework reference: COBIT DSS02; MAS TRM – Resilience

What good looks like

Incidents logged, categorised, prioritised, escalated, resolved; majors post-reviewed.

Risk if it fails

Prolonged outages; unmanaged incidents.

How Tess tests it

4 tests — each concludes only on cited evidence.

Incident process w/ categorisation/SLA/escalation

Design

Procedure: Inspect the process.
Expected: Defined.
Sample: 1 (design inspection)
Evidence: Incident tickets, escalation/SLA evidence, post-reviews.

Incidents logged and classified

Operating

Procedure: Sample incidents.
Expected: Recorded and categorised.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Incident tickets, escalation/SLA evidence, post-reviews.

SLAs/escalation followed

Operating

Procedure: Inspect handling.
Expected: SLA/escalation met.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Incident tickets, escalation/SLA evidence, post-reviews.

Major-incident post-reviews performed

Operating

Procedure: Inspect PIRs for majors.
Expected: Conducted for major incidents.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Incident tickets, escalation/SLA evidence, post-reviews.

Evidence Tess looks for

Incident tickets, escalation/SLA evidence, post-reviews.

More in Incident & Security Monitoring

SM-01 Logging Standard & Retention SM-02 Access & Privileged Activity Logging SM-03 Time Synchronisation (NTP) SM-04 Security Alerting & Anomaly Monitoring

Want Tess to test SM-08 against your evidence?