What is the definition for Priority 1 (P1) and Priority (P2) incidents?
Sort by:
Hi!<br><br>We recently decided to rework our approach to Incidents:<br>First of all, we have an aggregated definition of incident. Any deviation from normal business is an incident. And every incident needs to follow the same process.<br>The address the right people and involve them in incident handling, we just put flags onto an incident:<br>Physical<br>Security<br>IT<br>Data Breach<br><br>As well es reporting duties for certain regulatory bodies<br>GDPR<br>DORA<br>...<br><br>Let's see how that works<br>
An impact/urgency matrix can help give a clear view of this, with the weighting on impact as they both may be as urgent as each other.
A P1 incident affects a large number of users, systems, or services and may result in widespread disruption of business operations.
A P2 incident may affect a smaller number of users, systems, or services, and may result in localized disruption of business operations.
In my experience, people can fixate on the number of users and disregard something that only impacts 3 people.
But if those 3 people are the only 3 doing a specific process, and the process is critical, then it might warrant as a p1.
Beyond the classical definitions that have already been provided, let me add a twist.
CEO/Board member impact due to unavailability of any technology service is P1 in most companies, for the rest of the CXOs it could be P2.
Smile
You can define them pretty much you want based on your context. There is no one-size-fits-all definition.
The classification is usually based on business impact/severity and the urgency of the issue. P1 has higher severity & urgency than P2. In some companies, they can also have P0.
P1 incidents are the most critical incidents that require immediate action to contain and resolve the issue and prevent further damage or loss.
P2 incidents are significant incidents that require prompt attention to mitigate the risk of data loss or disruption to business operations.
Both P1 and P2 incidents follow established incident management procedures to prioritize resources, coordinate efforts among different teams, and communicate updates to stakeholders until the incident is resolved.
What is the classification of Cyber incident vs the levels PI, P2 ( more classic ITIL oriented ) in most tools.
Can you have still have P1 P2 incidents, based on level of attack , but classify them as Cyber ?
We did service called Cyber and if the incident is for example a DDOS attack , we get standard P1 alert , but we manually start a new P1 linked to "Cyber Service" so we can track them and have special playbook for the incident .
Any thought on how to structure Security incidents in std Incidents tools like Pager Duty. ?