beginner

Escalation Matrix and Procedures

Escalation procedures and contact matrix for security incidents.

Template - customize for organization5 steps7 checklist items

Summary

Framework for determining when and how to escalate security incidents based on severity.

Step-by-Step Procedure

Severity Classification

Determine incident severity.

Actions

Critical (P1): Active breach, ransomware, executive compromise

High (P2): Contained incident, significant risk

Medium (P3): Limited impact, under control

Low (P4): Minor incident, no immediate risk

Initial Escalation

First level escalation based on severity.

Actions

P1: Immediate call to security leadership + CISO

P2: Security team lead notification within 30 min

P3: Security team notification within 2 hours

P4: Ticket creation, normal queue

Executive Escalation

When to involve executive leadership.

Actions

P1: CISO briefs CEO/COO within 1 hour

P1: Board notification per policy

P2: CISO briefed within 4 hours, C-suite if needed

P3/P4: Include in regular security reporting

External Escalation

External parties to engage.

Actions

Legal counsel for any potential breach

Cyber insurance for significant incidents

Law enforcement for criminal activity

Forensic firm for major investigations

Regulatory bodies per notification requirements

Communication Channels

How to escalate.

Actions

P1: Direct phone call, out-of-band communication

P2: Secure messaging + email

P3: Email notification

P4: Ticket system

Completion Checklist

Severity correctly classified

Appropriate parties notified per severity

Notification timelines met

External parties engaged as needed

Communication channels appropriate to severity

Escalation documented

Acknowledgment received

Evidence to Collect

Escalation records
Notification timestamps
Acknowledgment records
Contact records

Join our community to discuss playbooks and share incident response experiences.