ISO 27001:2022 Annex A 5.25 Guide

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.25 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.25 Assessment and Decision on Information Security Events

ISO 27001 Annex A 5.25 requires organizations to assess information security events and decide if they should be categorized as information security incidents. This is a critical detective control that acts as the “triage” stage of incident management. Not every technical glitch is a security incident. This control ensures you have a consistent process to filter out noise, identify true threats to Confidentiality, Integrity, and Availability, and prioritize them so your response team focuses on the highest risks first.

Core requirements for compliance include:

Establish Triage Criteria: You must define clear criteria to differentiate between a “security event” (e.g., a single failed login) and a “security incident” (e.g., a brute-force attack).
Prioritization Formula: The priority of an incident is typically determined by the formula: Impact x Urgency = Priority.
- Impact: How severe are the consequences (e.g., data loss, downtime)?
- Urgency: How quickly must we act to prevent further damage?
Designated Decision Maker: You must identify a specific point of contact (often the Incident Manager) who has the authority to officially categorize an event as an incident and set its priority level.
Recording Decisions: Every assessment and decision must be documented. This record is essential for Root Cause Analysis (RCA) and for proving to auditors that your process is operational.
Integration with IR Plan: This control must link directly to your Incident Management Plan (A.5.24) to ensure that once a decision is made, the correct response procedures are triggered.

Audit Focus: Auditors will look for “The Triage Logic”:

Incident Logs: “Show me your incident log for the last year. Pick an event that was not categorized as an incident. How did you reach that decision?”
SLA Compliance: “Show me a ‘High’ priority incident from last month. Did your team respond within the timeframe defined in your Event Classification Matrix?”
Evidence of Analysis: “For your most recent major incident, show me the record of the initial assessment. Who made the decision on the priority level?”

Event Classification Matrix (Audit Prep):

Severity	Definition	Real-World Example	Response Target	ISO 27001:2022 Control
Low	No service impact; single user.	Blocked phishing email.	24 Hours.	Annex A 5.25
Medium	Limited impact; non-critical data.	Malware on one workstation.	4 Hours.	Annex A 5.25
High	Critical service down; data risk.	Ransomware on a file server.	1 Hour.	Annex A 5.25 / 5.26
Critical	Existential threat; massive leak.	Database exposed to public.	IMMEDIATE	Annex A 5.25 / 5.26

What is ISO 27001 Annex A 5.25?
Watch the ISO 27001 Annex A 5.25 Tutorial
ISO 27001 Annex A 5.25 Podcast
ISO 27001 Annex A 5.25 Implementation Guidance
How to implement ISO 27001 Annex A 5.25
Event Classification Matrix
How to comply
How to pass an ISO 27001 Annex A 5.25 audit
What the auditor will check
Top 3 ISO 27001 Annex A 5.25 Mistakes People Make and How to Avoid Them
Why is Assessment and Decision on Information Security Events Important?
Applicability of ISO 27001 Annex A 5.25 across different business models.
Fast Track ISO 27001 Annex A 5.25 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.25 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 controls and attribute values

What is ISO 27001 Annex A 5.25?

ISO 27001 Annex A 5.25 is about the assessment and decisions on information security events which means you need a process for assessing incidents and then deciding if they are an information security incident and prioritising them for action.

ISO 27001 Annex A 5.25 Assessment and decision on information security events is an ISO 27001 control that requires an organisation to assess information security events to categorise and prioritise them.

ISO 27001 Annex A 5.25 Purpose

The purpose of ISO 27001 Annex A 5.25 is a detective control that ensures effective categorisation and prioritisation of information security events.

ISO 27001 Annex A 5.25 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.25 as:

The organisation should assess information security events and decide if they are to be categorised as information security incidents.
ISO 27001:2022 Annex A 5.25 Assessment and decision on information security events

Watch the ISO 27001 Annex A 5.25 Tutorial

In this tutorial video I show you how to implement ISO 27001 Annex A 5.25 and how to pass the audit.

ISO 27001 Annex A 5.25 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.25 Assessment And Decision On Information Security Events. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.25 Implementation Guidance

An information security incident is an event that could potentially have a negative impact on the confidentiality, integrity, or availability of information. The consequences of an incident can vary depending on the nature of the incident, the systems and data affected, and the organisation’s response.

The priority of an incident is determined by its impact and urgency. Impact refers to how severe the consequences of the incident are, and urgency refers to how quickly action is needed to resolve the incident.

Criteria for Categorising Events as Information Security Incidents

In roles and responsible ISO 27001 Annex A 5.24 Information Security Incident Management Planning And Preparation we assigned the various roles including the contact who will assess each information security incident using the agreed criteria.

The following can be used to categorise events as information security incidents:

A virus
Unauthorised access to information systems or data
Ransomeware
A system outage
Social engineering attacks
Unauthorised disclosure of information
Unauthorised modification of information
Denial of service to information systems or users

Assessment of Information Security Events

We also set out in ISO 27001 Annex A 5.24 Information Security Incident Management Planning And Preparation who will co-ordinate and respond to the information security incident and it those people that will perform the assessment and make a decision on the events.

The point of contact should assess each information security event using the following as guidance:

Impact: The impact of the event should be assessed in terms of the severity of the consequences, such as loss of confidentiality, integrity, or availability of information.
Urgency: The urgency of the event should be assessed in terms of how quickly a resolution is needed
Priority: The priority of the event should be determined by its impact and urgency.

Information Security Assessment Formula

Impact x Urgency = Priority

Decision on Information Security Events

The point of contact should make a decision on each information security event based on the assessment. The decision should include the following:

Whether the event is an information security incident
The priority of the incident
The appropriate response to the incident

Recording of Results

The results of the assessment and decision should be recorded. This is for reference, verification, lessons learnt, root cause analysis and continual improvement. We would record the following information:

The date and time of the event
The nature of the event
The impact of the event
The urgency of the event
The priority of the event
The decision on the event
The response to the event

Implementation Conclusion

This guide provides a framework for identifying the impact, consequences and priority of an information security incident. The guide should be used in conjunction with your information security incident management plan.

The standard that relates to information security management for further reading if required is ISO/IEC 27035

How to implement ISO 27001 Annex A 5.25

Implementing ISO 27001 Annex A 5.25 requires a systematic approach to filtering security noise and identifying genuine threats. By establishing clear thresholds and technical evaluation criteria, organisations can ensure that incident response resources are deployed with precision, avoiding operational fatigue while maintaining a robust defensive posture. The following steps outline the technical and procedural actions required to achieve a compliant assessment and decision-making framework.

1. Formalise the Event Classification Matrix

Define a structured matrix that distinguishes between a security event and a security incident. This result-focused action provides the foundational logic for all subsequent triage and escalation activities.

Document specific quantitative thresholds for “events” such as failed login attempts, firewall blocks, or policy violations.
Specify qualitative criteria for “incidents” involving unauthorised data access, service unavailability, or compromise of integrity.
Standardise the severity levels (e.g., Low, Medium, High, Critical) based on the sensitivity of the asset involved.

2. Provision Technical Triage Capabilities

Equip designated security personnel with the forensic and analytical tools necessary to perform deep-packet inspection and log analysis. This ensures that the initial assessment is based on empirical technical data rather than conjecture.

Assign specific IAM roles to the Security Operations Centre (SOC) team to allow read-only access to critical system logs and SIEM dashboards.
Establish Rules of Engagement (ROE) for initial investigation to ensure that the assessment process does not inadvertently modify or destroy evidence.
Integrate automated threat intelligence feeds to correlate internal events with known external attack patterns.

3. Execute the Assessment Protocol

Apply the pre-defined classification matrix to every identified security event. This action ensures consistent decision-making and prevents critical threats from being overlooked during high-volume periods.

Evaluate the event against the Confidentiality, Integrity, and Availability (CIA) impact criteria.
Review the context of the event, such as the user’s typical behaviour patterns or the specific network segment affected.
Determine if the event indicates a breach of statutory, regulatory, or contractual obligations.

4. Formalise the Escalation Decision

Document the final decision to either close the event or escalate it to a formal security incident. This result creates a verifiable audit trail that demonstrates the control is operating effectively.

Use a centralised GRC tool or incident management system to log the rationale behind every “Incident” or “False Positive” classification.
Require dual-authorisation or a peer-review process for the closure of high-severity events to mitigate the risk of human error.
Assign a unique reference ID to escalated incidents to facilitate tracking through the Annex A 5.26 response phase.

5. Communicate Findings to Relevant Stakeholders

Distribute the assessment outcome to the appropriate internal departments and asset owners. This ensures that the organisation maintains situational awareness and can prepare for subsequent remediation actions.

Establish automated notification triggers for events that meet specific risk profiles or involve high-value assets.
Brief the Data Protection Officer (DPO) immediately if the assessment identifies a potential breach of personal data.
Maintain a secure communication channel for investigators to prevent “leakage” of sensitive information during the decision phase.

6. Audit and Refine the Decision Logic

Periodically review the accuracy of past assessments to identify trends or misclassifications. This action facilitates continuous improvement of the ISMS and ensures the classification matrix remains aligned with the evolving threat landscape.

Conduct a post-mortem review of “False Negatives” to determine why a threat was not correctly identified during the assessment phase.
Update the technical triage playbooks based on lessons learned from confirmed incidents.
Present an assessment accuracy report to the Management Review Committee to satisfy ISO 27001 Clause 9.3 requirements.

Event Classification Matrix

Severity	Definition	Example	Response Time
Low	No impact on services; single user affected.	Phishing email (blocked).	24 Hours
Medium	Limited impact; non-critical data.	Malware on 1 laptop.	4 Hours
High	Critical service down; sensitive data risk.	Ransomware on server.	1 Hour
Critical	Existential threat; massive data loss.	Database public leak.	IMMEDIATE

How to comply

To comply with ISO 27001 Annex A 5.25 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

Identify information security incidents.
Assess the impact of information security incidents.
Prioritise information security incidents.
Respond to information security incidents.
Record information security incidents.

How to pass an ISO 27001 Annex A 5.25 audit

To pass an audit of ISO 27001 Annex A 5.25 Assessment and decision on information security events you are going to make sure that you have followed the steps above in how to comply.

Have a documented information security incident management plan.
Implement the information security incident management plan.
Monitor the effectiveness of the information security incident management plan.
Review and update the information security incident management plan as needed.

What the auditor will check

The audit is going to check a number of areas. Lets go through the main ones

1. That you have documented your roles, responsibilities and process

The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.

2. That you can demonstrate the process working

They are going to ask you for evidence to the incident management process and take one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.

3. That you can learn your lesson

Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked. They want to see that not only did you respond but that you learnt from it and did something to improve that reduced or eliminated the possibility of it happening again.

Top 3 ISO 27001 Annex A 5.25 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.25 are

1. Not having a documented information security incident management plan.

This is the most common mistake made by organisations. A documented information security incident management plan is essential for effective incident response. It should include the following:

A process for identifying information security incidents.
A process for assessing the impact of information security incidents.
A process for prioritising information security incidents.
A process for responding to information security incidents.
A process for recording information security incidents.

2. Not implementing the information security incident management plan.

Even if you have a documented information security incident management plan, it is not enough to simply have the plan. The plan must be implemented in order to be effective. This means assigning responsibility for implementing the plan, providing training on the plan, and testing the plan.

3. Not monitoring the effectiveness of the information security incident management plan.

Once the information security incident management plan is implemented, it is important to monitor its effectiveness. This means reviewing reports of information security incidents, conducting audits of the plan, and taking corrective action as needed.

By avoiding these mistakes, you can ensure that you have an effective information security incident management plan in place.

Why is Assessment and Decision on Information Security Events Important?

As the saying goes, shit happens. It is facts of life. No system or security is 100% We cannot be on the back foot when the inevitable happens and effective incident management can eliminate or reduce the impact of information security incidents.

ISO 27001 Annex A 5.25 is important because it provides guidance on how to manage information security incidents. Information security incidents can have a significant impact on an organisation, so it is important to have a plan in place for how to respond to them. The guidance in ISO 27001 Annex A 5.25 can help you to develop and implement an effective information security incident management plan.

The following are some of the benefits of having an effective information security incident management plan:

It can help to reduce the impact of information security incidents.
It can help to protect the organisations reputation.
It can help to comply with legal and regulatory requirements.
It can help to improve the organisations overall information security posture.

Applicability of ISO 27001 Annex A 5.25 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Highly applicable for filtering out technical “noise” from true security threats. The focus is on a simple triage process that ensures the owner or office manager isn’t overwhelmed by every minor log entry while catching critical events.	Implementing a simple “Severity Formula” (Impact x Urgency) to decide if a blocked phishing email is just a “Low” event or part of a “High” priority targeted campaign. Designating the Business Owner as the final “Decision Maker” to officially categorize a lost employee smartphone as a security incident. Maintaining a manual log of assessed security events to prove to auditors that a consistent triage process is being followed.
Tech Startups	Critical for managing high-volume alerts from cloud infrastructure and CI/CD pipelines. Compliance involves defining technical triage criteria that allow the DevOps team to focus on existential threats to the production environment.	Creating an Event Classification Matrix that defines a “Critical” incident as any unauthorized access to the production database. Automating the initial triage of server alerts so that “Medium” priority events (like one-off login failures) don’t trigger the on-call engineer at 2 AM. Recording the “Decision Logic” within the company’s ticketing system (e.g., Jira or Zendesk) for every event that is escalated to a formal security incident.
AI Companies	Vital for protecting specialized AI model IP and sensitive training data. Focus is on assessing sophisticated anomalies in model behavior or dataset access patterns that could indicate a data poisoning or model theft attempt.	Establishing specialized criteria to assess “Inference Anomalies” and deciding if they are technical glitches or adversarial prompt-injection incidents. Utilizing a “Record of Decision” for events involving unauthorized access to AI Model Weights, ensuring that any such event is automatically treated as a “Critical” incident. Integrating the triage process with the company’s Adversarial Risk Framework to assess if unusual data download patterns represent a credible IP theft threat.

Fast Track ISO 27001 Annex A 5.25 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.25 (Assessment and decision on information security events), the requirement is to assess information security events and decide if they should be categorised as incidents. This ensures that every potential threat is triaged, prioritized, and met with an appropriate response, preventing minor events from escalating into major disasters.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Logic Ownership	Rents access to assessment logic; if you cancel the subscription, your documented triage rules and decision history vanish.	Permanent Assets: Fully editable Word/Excel Event Classification Matrices and formulas that you own forever.	A localized “Event Assessment Formula” defining the specific impact/urgency thresholds for your business.
Decision Governance	Attempts to “automate” triage via generic engines that cannot distinguish between a false positive and a nuanced breach.	Governance-First: Formalizes your existing technical triage into an auditor-ready framework for informed decision-making.	A recorded “Assessment Result” proving that a suspicious login alert was investigated and formally classified.
Cost Efficiency	Charges an “Event Volume Tax” based on the number of logs or investigations, creating perpetual overhead as alerts grow.	One-Off Fee: A single payment covers your assessment governance whether you triage 10 events or 10,000.	Allocating budget to high-fidelity monitoring tools rather than monthly “dashboard” fees for logging triage notes.
Freedom of Strategy	Mandates rigid scoring formats that may not align with your unique technical environment or specialized business impacts.	100% Agnostic: Procedures adapt to any stack—from lean IT teams to fully outsourced Security Operations Centers (SOC).	The ability to evolve your event classification criteria without reconfiguring a rigid, third-party SaaS compliance module.

While SaaS compliance platforms often try to sell you “automated event triaging” or complex “risk scoring engines,” they cannot actually decide if a “suspicious login” from an employee on vacation is a false positive or a breach, those are human investigative and decision-making tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the assessment framework you need to categorize events effectively without a recurring subscription fee.

1. Ownership: You Own Your Assessment Rules Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your event classification rules and store your decision logs inside their proprietary system, you are essentially renting your own investigative standards.

The Toolkit Advantage: You receive the Event Classification Matrix and Incident Assessment Formula in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as specific definitions for “High” vs. “Critical” severity), ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Real-World Triage

Annex A 5.25 is about making decisions based on evidence. You don’t need a complex new software interface to manage what an existing security log or a simple triage checklist already does perfectly.

The Toolkit Advantage: Your IT team already looks at logs and alerts. What they need is the governance layer to prove to an auditor that these events are assessed consistently, using a formal impact/urgency formula. The Toolkit provides pre-written procedures and “Event Classification Matrices” that formalize your existing technical triage into an auditor-ready framework, without forcing your team to learn a new software platform just to log a decision.

3. Cost: A One-Off Fee vs. The “Event Volume” Tax

Many compliance SaaS platforms charge more based on the number of “logged events” or “investigations” you conduct. For a control that requires you to assess everything from blocked phishing to server outages, these monthly costs can scale aggressively.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you assess 10 events a year or 10,000, the cost of your Event Assessment Documentation remains the same. You save your budget for actual security monitoring tools rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Decision Strategy

SaaS tools often mandate specific ways to report on and categorize events. If their system doesn’t match your unique business impact definitions or specialized technical environment, the tool becomes a bottleneck to efficiency.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Assessment Procedures to match exactly how you operate, whether you use a dedicated SOC or a lean IT team. You maintain total freedom to evolve your triage strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For Annex A 5.25, the auditor wants to see that you have a formal process for assessing events and proof that you are making informed decisions (e.g., recorded assessment results and prioritised incidents). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.25 FAQ

What is ISO 27001 Annex A 5.25?

ISO 27001 Annex A 5.25 is a security control that requires organisations to assess information security events to determine whether they should be classified as information security incidents.

It provides a formalised process for filtering noise from genuine threats.
It ensures that incident response resources are only deployed when necessary.
It mandates the use of predefined criteria for consistent decision-making.

What is the difference between a security event and a security incident?

An information security event is an identified occurrence that indicates a possible breach, while a security incident is an event that has been confirmed to have an adverse effect on business operations.

Events: System log alerts, failed login attempts, or pintu-to-door visitors.
Incidents: Successful unauthorised access, data exfiltration, or service downtime.
Assessment: The process defined in 5.25 turns a “possible” event into a “confirmed” incident.

How do organisations assess information security events?

Organisations assess events by analysing the observed activity against a set of predefined impact thresholds and risk criteria established in the ISMS.

Technical Analysis: Reviewing system logs, traffic patterns, and user behaviour.
Impact Evaluation: Determining the potential effect on confidentiality, integrity, and availability.
Categorisation: Assigning a severity level based on the type of data or system affected.

Who is responsible for assessing security events under Annex A 5.25?

The responsibility typically lies with a designated individual or team with the appropriate technical knowledge, such as a Security Lead, SOC Analyst, or Incident Manager.

Authorisation: Only trained personnel should have the authority to classify an incident.
Escalation: The assessor must know exactly when to trigger the full Incident Response Plan.
Documentation: The assessor is responsible for recording the rationale behind the final decision.

What are the criteria for escalating an event to an incident?

Criteria for escalation usually include the breach of security policies, loss of data integrity, or any event that poses a significant risk to the organisation’s reputation.

Data Sensitivity: Any event involving Personal Identifiable Information (PII) or Intellectual Property.
Scale of Impact: Events affecting a large number of users or critical infrastructure.
Legal Obligations: Occurrences that trigger statutory reporting requirements (e.g., GDPR).

Should every security event be logged in a register?

Yes, organisations should maintain a log of all identified security events and the subsequent decisions made, as this forms a critical part of the audit trail.

Accountability: Proves that the organisation is actively monitoring and assessing threats.
Trend Analysis: Helps identify recurring “events” that may indicate a systemic weakness.
Compliance: Provides evidence for auditors that the 5.25 control is operating effectively.

How does Annex A 5.25 relate to Annex A 5.24?

Annex A 5.24 focuses on the planning and preparation for incident management, whereas Annex A 5.25 is the specific operational step of evaluating events as they happen.

Preparation (5.24): Writing the policy and defining the criteria.
Assessment (5.25): Applying the criteria to a live alert or observation.
Workflow: 5.25 is the “trigger” that puts the plans from 5.24 into active motion.

ISO 27001 Annex A 6.8 Information Security Event Reporting

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 5.26 Response To Information Security Incidents

ISO 27001 controls and attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Detective	Confidentiality	Respond	Information Security Event Management	Defence
	Integrity	Detect
	Availability

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 5.25?

ISO 27001 Annex A 5.25 Purpose

ISO 27001 Annex A 5.25 Definition

Watch the ISO 27001 Annex A 5.25 Tutorial

ISO 27001 Annex A 5.25 Podcast

ISO 27001 Annex A 5.25 Implementation Guidance

Criteria for Categorising Events as Information Security Incidents

Assessment of Information Security Events

Information Security Assessment Formula

Decision on Information Security Events

Recording of Results

Implementation Conclusion

How to implement ISO 27001 Annex A 5.25

1. Formalise the Event Classification Matrix

2. Provision Technical Triage Capabilities

3. Execute the Assessment Protocol

4. Formalise the Escalation Decision

5. Communicate Findings to Relevant Stakeholders

6. Audit and Refine the Decision Logic

Event Classification Matrix

How to comply

How to pass an ISO 27001 Annex A 5.25 audit

What the auditor will check

1. That you have documented your roles, responsibilities and process

2. That you can demonstrate the process working

3. That you can learn your lesson

Top 3 ISO 27001 Annex A 5.25 Mistakes People Make and How to Avoid Them

1. Not having a documented information security incident management plan.

2. Not implementing the information security incident management plan.

3. Not monitoring the effectiveness of the information security incident management plan.

Why is Assessment and Decision on Information Security Events Important?

Applicability of ISO 27001 Annex A 5.25 across different business models.

Fast Track ISO 27001 Annex A 5.25 Compliance with the ISO 27001 Toolkit

1. Ownership: You Own Your Assessment Rules Forever

2. Simplicity: Governance for Real-World Triage

3. Cost: A One-Off Fee vs. The “Event Volume” Tax

4. Freedom: No Vendor Lock-In for Your Decision Strategy

ISO 27001 Annex A 5.25 FAQ

What is ISO 27001 Annex A 5.25?

What is the difference between a security event and a security incident?

How do organisations assess information security events?

Who is responsible for assessing security events under Annex A 5.25?

What are the criteria for escalating an event to an incident?

Should every security event be logged in a register?

How does Annex A 5.25 relate to Annex A 5.24?

Related ISO 27001 Controls

Further Reading

ISO 27001 controls and attribute values

Stuart Barker