Without an escalation process, security alerts get lost, ignored, or handled by the wrong person—and by the time anyone notices, attackers have already stolen customer data or encrypted your files for ransom. A small export business in Bangalore lost ₹18 lakhs when suspicious login alerts from their accounting system were ignored for three days because there was no clear process saying who should act on them. Regulatory auditors and large customers (like TCS or Infosys if you're a vendor) will ask to see your escalation procedure, and if you can't show it, you'll fail compliance reviews. Delayed response to attacks means bigger damage, higher recovery costs, and loss of customer trust.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal process at all. When something suspicious happens, the person who notices it just tells the IT guy informally, or nobody tells anyone and the alert disappears.
Initial
Someone—usually your IT person or owner—occasionally gets told about suspicious activity, but there's no written procedure, no clear definition of what counts as 'suspicious,' and no tracking of what happened after the alert.
Developing
You have a basic written escalation process (even a one-page checklist) that says: if this happens, email the IT person; if it's really bad, also tell the owner. You're tracking some incidents in a simple spreadsheet or register.
Defined
You have a documented escalation procedure with clear roles (who reports, who investigates, who decides action), defined severity levels (high/medium/low), and a simple ticket system (even Google Forms or Zoho) to log and track every alert from detection to resolution.
Managed
Your escalation process is integrated with your monitoring tools so alerts automatically create tickets, severity is assigned based on rules, and managers get notified by email or SMS. You review escalations monthly and improve the process based on what you learn.
Optimised
Your escalation system is automated, continuously monitored, and tested quarterly with fake alerts to make sure people actually respond. You have a command center mindset, keep detailed records of every incident, and use the data to predict and prevent attacks before they happen.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Write a one-page document titled 'What to do if you see something suspicious' that lists: what counts as suspicious (unusual logins, forgotten passwords, strange emails, slow systems), who to tell immediately (name and phone of IT person or owner), and when to tell them (right away, don't wait). Print it and stick it on the office wall. | Business owner or IT person | 2-3 hours |
| 1 → 2 | Create a simple escalation flowchart showing: Step 1 (person notices suspicious activity) → Step 2 (report to IT person) → Step 3 (IT person assesses severity) → Step 4 (if serious, escalate to owner). Create a basic incident log in a shared Excel sheet or Google Sheet with columns: Date, What Happened, Who Reported It, Who Is Investigating, Current Status, Resolution Date. | IT person with owner's input | 1 week |
| 2 → 3 | Formalise the escalation procedure with: (a) severity definitions (Level 1 = data breach/ransomware = call owner immediately; Level 2 = unusual access pattern = email IT by end of day; Level 3 = suspicious email = report but not urgent); (b) clear roles and responsibilities (who investigates, who approves action, who communicates with customers); (c) SLA (response time target, e.g. Level 1 within 30 minutes). Document in a 2-3 page procedure and get owner sign-off. | IT person with owner approval | 2-3 weeks |
| 3 → 4 | Implement a basic ticketing system (Zoho Desk free tier, Freshdesk, or even a Google Form that auto-creates a spreadsheet entry) so alerts automatically become tickets with unique ID, timestamp, and status. Set up email notifications so the IT person and owner get alerted immediately when a high-severity ticket is created. Run a monthly review meeting to discuss all escalations and identify patterns. | IT person to set up; owner to review monthly | 3-4 weeks |
| 4 → 5 | Automate escalation: integrate your monitoring tools (antivirus, firewall, email gateway, network monitoring) to send alerts directly to your ticketing system with severity auto-assigned based on rules. Run quarterly 'drill' tests by injecting fake suspicious activity to check that escalation actually happens. Maintain an incident trend report showing what gets escalated, how fast it's resolved, and what you've learned. | IT person with external consultant if needed | Ongoing (1-2 months initial setup, then monthly maintenance) |
Documents and records that prove your maturity level.
- Written escalation procedure document signed by owner and dated, with at least severity levels, roles, and contact details
- Incident register or log (spreadsheet, Google Sheet, or ticketing system printout) showing at least 10-15 recent incidents/alerts with: date, description, reporter name, investigator name, severity assigned, status, and resolution date
- Email or Slack/WhatsApp screenshot showing at least one alert notification being sent to the right person within minutes of detection
- Monthly escalation review report or meeting notes showing incidents discussed, trends identified, and action points agreed
- Training attendance sheet or email showing that all staff were told about the escalation process and know who to contact
Prepare for these questions from customers or third-party reviewers.
- "Walk me through what happens the moment someone on your team spots a suspicious login attempt from an unknown country—who do they tell, how do they tell them, how long does the response take, and how do you track whether action was taken?"
- "Show me your incident log for the last three months. Can you explain why this alert here was resolved in 2 hours but that one took 5 days? Did you follow your escalation procedure?"
- "If a ransomware attack started encrypting files right now, what is the exact sequence of people who would be notified, in what order, and how would you make sure the CEO gets told within 10 minutes?"
- "Do you test your escalation process? Show me evidence that you've done a practice drill or simulation to verify that alerts actually reach the right person and trigger a response."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and manage incident tickets so alerts don't get lost and you can track status from detection to resolution | Google Forms + Google Sheets (create a form for reporting suspicious activity, responses auto-populate a sheet), or Zoho Desk free tier (up to 3 users) | Freshdesk (₹5,000–₹15,000/year for small team), HubSpot Service Hub (₹6,000–₹12,000/year) |
| Send real-time alerts to the right person when suspicious activity is detected, so escalation happens immediately not hours later | Email notifications from antivirus or firewall (built-in), IFTTT (if-this-then-that automation for free), Slack free tier with email integration | Pagerduty (₹4,000–₹10,000/month for on-call alerts), Opsgenie (₹3,000–₹8,000/month) |
| Monitor your network and systems 24/7 so suspicious activity is actually detected and can be escalated before damage is done | Wazuh (open-source endpoint detection), Suricata IDS (open-source network monitoring) | Fortinet FortiManager (₹2–₹5 lakhs/year depending on deployment), Darktrace (₹10–₹20 lakhs/year, enterprise grade, likely too expensive for MSME but worth knowing about) |
- Owner or IT person gets too many false alarms and starts ignoring real ones—solve this by tuning alert rules to reduce noise and clearly defining what 'suspicious' means before you start escalating everything
- Escalation procedure only lives in the head of one IT person; if they leave or go on leave, nobody knows what to do—always document it in writing, share it with at least 2-3 people, and test it when that person is absent
- Staff are afraid to report suspicious activity because they worry they'll get blamed or it will cause trouble, so they stay silent—make it clear in your escalation policy that reporting in good faith is encouraged and will not result in punishment
- Escalation takes place but nobody tracks what happened next, so you can't tell if issues are being resolved or just swept under the carpet—always log every escalation in a register with a status field that gets updated until closure
- Large customers or auditors ask to see your escalation procedure and you either have nothing to show or it's so vague it's useless—keep a signed, dated, version-controlled copy of your procedure and update it at least once a year
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data breach notification): you must notify affected individuals and the Data Protection Board 'without unreasonable delay'—escalation ensures you detect breaches fast and notify promptly |
| CERT-In 2022 | Direction on reporting of cybersecurity incidents: entities must report 'critical' incidents to CERT-In within 6 hours and 'medium' incidents within 30 days—escalation process ensures incidents are detected and reported on time |
| ISO 27001:2022 | Clause A.5.31 (identification of information security events), A.8.36 (incident management), A.8.37 (response to information security incidents)—escalation is a core part of incident response |
| NIST CSF 2.0 | Detect function (DE.DP-4: detection processes are triggered and executed); Respond function (RS.RP-1: processes are initiated to execute incident response) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →