Incident responseBeginner28 min read

What Does Incident severity Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Incident severity is a label given to a problem to show how bad it is and how quickly it needs to be fixed. It helps teams decide which issues to work on first. For example, a server crash affecting many users is high severity, while a single user's slow computer is low severity. This rating ensures critical problems get attention right away.

Commonly Confused With

Incident severityvsIncident priority

Incident severity is about the technical characteristics of the incident itself, such as how many users are affected and how quickly it might spread. Incident priority is a broader concept that takes severity into account but also considers business factors like the importance of the affected system to the company's revenue or reputation. Priority is the order in which incidents are resolved, while severity is the classification that helps determine that order.

An S1 incident affecting a non-critical internal tool might be given a lower priority than an S2 incident affecting a customer-facing system used by executives, because the business values the customer system more.

Incident severityvsIncident classification

Incident classification is the process of assigning a category to an incident, such as 'hardware failure', 'software bug', 'security breach', or 'network issue'. Severity is a rating of how critical that classified incident is. You classify what type of incident it is, then you assign severity to indicate its seriousness.

A server crash could be classified as 'hardware failure' and then assigned S1 severity. A forgotten password for a single user is classified as 'account issue' with S4 severity.

Incident severityvsIncident impact

Incident impact is one component of severity, specifically the measure of damage or disruption caused. Severity also includes urgency, which is the speed at which the problem could worsen. Impact alone does not account for time; an incident might have high impact but low urgency, resulting in a moderate severity.

A data leak of historical records that is not spreading has high impact (data compromised) but low urgency (no new data loss), so severity might be S2 rather than S1. A ransomware attack actively encrypting files has both high impact and high urgency, making it S1.

Incident severityvsCVSS (Common Vulnerability Scoring System) score

CVSS is a specific numerical scoring system (0-10) used to rate the severity of security vulnerabilities, not incidents. Incident severity is a broader classification that covers all types of IT incidents (performance, availability, security). CVSS is a more granular, standardized score used by vulnerability management teams to prioritize patching.

A vulnerability with a CVSS score of 9.1 is 'Critical' and would likely trigger an S1 security incident if exploited. A minor software bug causing a non-security crash might have no CVSS score but be an S3 incident.

Incident severity appears directly in 15exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →

Must Know for Exams

Incident severity is a core concept tested across multiple certification exams because it is fundamental to how IT and cybersecurity teams operate. In the CompTIA Security+ (SY0-601) exam, incident response processes are a significant objective under Domain 4 (Security Operations). Candidates must understand the seven steps of incident response (Preparation, Detection, Analysis, Containment, Eradication, Recovery, and Lessons Learned) and how severity classification guides actions like containment and escalation. Exam questions often present a scenario where an organization discovers a data breach, and the candidate must decide the appropriate severity level based on impact and urgency. Misclassifying can lead to incorrect answers about notification procedures or response steps.

For the CompTIA CySA+ (CS0-002) exam, severity classification is even more detailed. The exam tests the ability to analyze vulnerability scanning results and prioritize remediation based on CVSS scores and business context. CySA+ also emphasizes the role of severity in security information and event management (SIEM) tools, where alerts are filtered and correlated based on severity values. Candidates need to understand how to create and modify correlation rules that trigger different incident response workflows depending on severity.

In the ISC2 CISSP exam, incident severity appears in Domain 7 (Security Operations) and is integrated into the broader incident response program. CISSP questions are often scenario-based, requiring candidates to understand how severity levels affect notification requirements, chain of custody, and legal reporting. For example, a question might ask what severity level a phishing attack that compromised a system administrator account should be assigned, and the candidate must consider the high impact on privileged access. CISSP also tests the difference between incident severity and incident priority, which are sometimes confused.

For Microsoft certifications like MS-102 (Microsoft 365 Administrator), SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), and AZ-104 (Microsoft Azure Administrator), incident severity is a practical concept tied to Microsoft Defender for Cloud, Microsoft Sentinel, and service health dashboards. These exams test the ability to configure alert severity levels, automate responses with playbooks, and interpret incident severity in the Microsoft 365 Defender portal. Questions may ask how to prioritize incidents in a tenant that has multiple alerts, or what severity level to apply when a compliance policy is violated.

Even for AWS certifications like AWS Certified Solutions Architect (SAA-C03), incident severity connects to the AWS Well-Architected Framework, specifically the Reliability Pillar and Incident Response. Candidates must understand how to design systems that automatically respond to severity levels using AWS Lambda and CloudWatch. While not as heavily tested as in security exams, AWS questions may present a scenario where a critical S1 incident occurs and ask for the best escalation path or automated response.

Across all exams, the common thread is that severity classification is not just about memorizing definitions. Candidates must be able to apply severity in dynamic scenarios, considering multiple factors like data sensitivity, number of affected users, regulatory impact, and available workarounds. Practice with sample questions that describe a business situation is essential to build this skill.

Simple Meaning

Think of incident severity like the triage system in a hospital emergency room. When patients arrive, a nurse quickly checks them and assigns a color-coded tag: red for life-threatening, yellow for serious but stable, green for minor injuries, and black for deceased or beyond help. The red-tag patients are rushed into surgery or intensive care immediately, while green-tag patients can wait in the waiting room for hours. This system ensures that limited medical resources are used where they can save the most lives.

In IT, incident severity works the same way. When a problem occurs, like a website going down or a server crashing, the IT team needs to know how urgent it is. They cannot fix everything at once, so they assign a severity level based on two main factors: impact and urgency. Impact means how much damage the problem causes, such as how many users are affected or if a business process stops completely. Urgency means how fast the problem needs to be resolved to prevent more harm.

For example, imagine a large online store that sells products. If the payment system stops working during a holiday sale, that is a high-severity incident. Hundreds of thousands of customers cannot complete purchases, and the company loses money every second. The IT team must drop everything and fix it immediately. On the other hand, if a single employee cannot log in to their email, that is a low-severity incident. It is annoying but does not affect the business as a whole, so it can be fixed later in the day.

Different organizations use different labels, but a common system uses numbers: Severity 1 (S1) is the most critical, meaning a complete outage of a core service that affects all users. Severity 2 (S2) is a major problem that affects many users but has a workaround. Severity 3 (S3) is a minor issue affecting a small number of users with a workaround available. Severity 4 (S4) is a low-priority request or cosmetic issue. Sometimes severity is also broken into 'Incident severity' (how bad the current damage is) and 'Priority' (how fast it must be fixed based on severity and business needs).

The key takeaway is that incident severity helps IT teams focus their energy. Without it, every problem might seem urgent, and critical issues could be ignored while teams fix trivial ones. By using severity levels, teams can respond systematically, communicate clearly with stakeholders, and minimize downtime for the most important services.

Full Technical Definition

Incident severity is a formal classification used in Information Technology Infrastructure Library (ITIL) incident management and security incident response frameworks to categorize the impact and urgency of an incident. It is a critical component of the incident response process, enabling organizations to prioritize resources, automate alerts, and meet service-level agreements (SLAs). Severity is typically assessed after initial detection and before escalation, using predefined criteria that vary by organization but follow industry standards such as those defined in the National Institute of Standards and Technology (NIST) Special Publication 800-61 or ISO/IEC 27035.

From a technical perspective, incident severity is determined by evaluating two dimensions: impact and urgency. Impact refers to the extent of damage or disruption caused by the incident, measured in terms of the number of users affected, the criticality of the affected system, regulatory compliance implications, financial loss, or operational degradation. Urgency refers to the speed at which the incident could escalate or cause further damage if not addressed. For example, a ransomware attack that is actively encrypting files has high urgency because every minute increases data loss. In contrast, a misconfigured firewall that is blocking legitimate traffic but not causing active damage may have lower urgency if a workaround exists.

Severity levels are commonly numeric, with S1 (Critical) representing a complete loss of a core service that affects a large number of users or customers, with no workaround available. S2 (High) indicates a major impact on a significant portion of users, but with a temporary workaround. S3 (Medium) involves a minor impact on a limited user group, often with an available workaround. S4 (Low) covers non-urgent issues such as cosmetic bugs or single-user problems. In security contexts, additional severity labels like 'Informational' or 'Warning' may be used for events that are not yet incidents but require monitoring.

Incident severity directly drives the incident response process. For S1 incidents, automated alerts are sent to an on-call engineer via tools like PagerDuty or Opsgenie, with escalation to management within 15 minutes. A formal incident commander is assigned, a war room is established, and communication bridges are opened for cross-team coordination. SLA targets for resolution are strict: S1 incidents often require an initial response within five minutes, with resolution within one to four hours. S2 incidents might allow 15-minute response times and four to eight hours for resolution. S3 and S4 incidents can have response windows of hours or days.

Implementation of incident severity classification requires integration with monitoring and alerting systems. For example, in cloud environments like AWS, incident severity can be tied to CloudWatch alarms with specific thresholds. A latency spike above 5 seconds for the production database might trigger an S1 alarm. In Microsoft Azure, Azure Monitor alerts can be configured with severity levels that automatically create an incident in Azure Sentinel or a service desk tool like ServiceNow. Similarly, in cybersecurity, security information and event management (SIEM) platforms such as Splunk or Microsoft Sentinel use severity scores to prioritize alerts from a flood of log data.

incident severity is not static. It can change over the lifecycle of an incident. An S3 issue that was thought to be minor might be reclassified as S2 if the workaround fails or more users are affected. Conversely, an S1 incident may be downgraded to S2 after a temporary fix is implemented but the root cause remains unresolved. This dynamic adjustment is called 'severity drift' and is managed through regular incident review cycles.

incident severity is a structured, objective measure that standardizes how IT teams prioritize work. It allows clear communication both within the IT department and to business stakeholders, who need to understand the level of risk. It also provides a basis for post-incident reviews, where teams analyze whether the initial severity was accurate and whether the response was appropriate. Mastering incident severity is essential for IT professionals preparing for certifications like CompTIA Security+, CySA+, AWS Certified Solutions Architect, and CISSP, where incident response processes are heavily tested.

Real-Life Example

Imagine you are a chef in a busy restaurant kitchen. On a Saturday night, the restaurant is packed with customers, and orders keep coming. Suddenly, the main cooking stove stops working. All burners go out. This is a crisis: you cannot cook any hot food, which means the restaurant must close immediately. This is like an S1 incident in IT. The entire core service is down, affecting all customers. You need to react instantly, call the repair technician, inform the manager, and maybe even cancel orders. Every second lost makes customers angry and loses money.

Now consider a different scenario: one of the refrigerators that stores vegetables starts making a strange noise but is still cooling properly. It is not broken yet, but it might break soon. You place a call to maintenance to check it tomorrow, and you move some items to another fridge just in case. This is like an S3 incident. There is a potential problem, but it is not causing immediate disaster, and there is a workaround. You can wait a bit.

Finally, imagine a worker asks you to clean a small spill on the floor in the back storage room that nobody uses. It is not urgent, and it does not affect any customers or food preparation. You tell them you will handle it after the dinner rush. This is an S4 incident, low priority.

In the kitchen, just like in IT, you need to know which problem to fix first. You cannot spend time cleaning the back room while the stove is broken. Incident severity gives your team a shared understanding of what requires immediate action and what can be scheduled later. Without this, chaos would reign. In IT, the same logic applies: a crashed database for the main product is the burning stove, while a slightly slow printer is the noisy refrigerator, and a spelling error on an internal website is the floor spill.

Why This Term Matters

Incident severity matters because it directly affects how fast an organization can recover from problems. In the modern IT landscape, even a few minutes of downtime can cost a company thousands or millions of dollars. For example, a major online retailer losing its checkout system for ten minutes during a sales event might lose revenue that cannot be regained. Without a clear severity classification, every team member might respond to the same incident with different levels of urgency, leading to confusion and delayed resolution.

Beyond financial impact, incident severity is also crucial for regulatory compliance and security. In healthcare, a data breach involving patient records is a high-severity incident that must be reported to authorities within 72 hours under HIPAA or GDPR. Misclassifying it as low severity could result in fines and legal consequences. Similarly, in finance, a crash of a trading platform could have systemic risk implications. Proper severity classification ensures that compliance requirements are met and that the right stakeholders are notified at the right time.

For IT professionals, understanding incident severity is part of professional maturity. It demonstrates that you can think beyond just technical fixes and consider business context. It helps you communicate effectively with non-technical managers, who want to know how bad a problem is and when it will be fixed. In team environments, it builds trust and accountability. It also allows for continuous improvement through post-incident reviews, where teams can assess whether the severity was appropriate and if the response could have been faster.

Finally, in the job market, employers expect IT workers to understand incident management processes. Certifications that test incident response, such as Security+ and CySA+, place heavy emphasis on severity classifications. Knowing how to apply severity in a real environment makes you a more valuable candidate and a more effective team member.

How It Appears in Exam Questions

Incident severity appears in certification exams in several distinct question patterns: scenario-based selection, priority ordering, and configuration choices. The most common pattern is the scenario-based question, where the exam presents a short description of an incident and asks the candidate to select the appropriate severity level. For example: 'A company discovers that a customer database containing payment card information (PCI) has been accessed by an unauthorized external IP. Approximately 10,000 records were exfiltrated. What is the most appropriate incident severity level?' The correct answer would be S1 or Critical, because the incident involves sensitive data, regulatory compliance (PCI DSS), and a large number of affected records. Distractors might include S2 or S3, which would be incorrect because the impact is severe.

Another pattern is the ordering question, where the exam lists multiple incidents and asks the candidate to arrange them from highest to lowest priority based on severity. For example: 'Given the following incidents, prioritize them in order of severity: A) Email phishing campaign targeting five employees but no data loss; B) Complete outage of the corporate website for all external customers; C) A single user reporting slow performance on a laptop; D) A ransomware attack that has encrypted 50% of file servers.' The correct order would be D (highest), B, A, C (lowest). This tests the ability to weigh multiple factors simultaneously.

Configuration-based questions appear in exams like AZ-104 and MS-102, where a candidate must configure an alert rule with the correct severity. For instance: 'You are configuring an Azure Monitor alert for a virtual machine that shows memory usage above 90% for 15 minutes. The application on that VM supports the main sales database. Which severity should you assign?' The correct answer would be either S1 or S2 depending on whether the performance degradation is causing actual downtime or just risk. The candidate must understand that severity should match business impact, not just technical metrics.

In security-focused exams like CySA+, questions may involve analyzing a SIEM alert dashboard. The candidate is shown a list of alerts with severity values (Low, Medium, High, Critical) and must decide which to investigate first. The trick is that not all high-severity alerts are equal; sometimes a medium-severity alert that involves an executive's machine might be higher priority due to the value of the target. These questions test contextual thinking.

Finally, exam questions may also test the terminology around incident severity, such as the difference between impact and urgency, or the difference between severity and priority. For example: 'An incident has high impact but low urgency. What severity level is most appropriate?' The correct answer might be S2, because while many users are affected, the problem is not escalating quickly, so a temporary workaround can be applied. Understanding these nuances is key to answering correctly.

Practise Incident severity Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized e-commerce company, ShopWave, experiences a sudden problem. At 10:00 AM on Cyber Monday, users trying to add items to their shopping cart receive an error message: 'Cart temporarily unavailable. Please try again later.' The company's help desk receives hundreds of complaints within five minutes. The IT team quickly realizes that the shopping cart microservice is down. This outage directly prevents customers from making purchases, which means the company is losing revenue every minute. The Chief Technology Officer estimates that the loss is about $10,000 per minute. The incident is immediately classified as Severity 1 (Critical) because it affects the core functionality of the site, impacts all customers, has no workaround, and carries a high financial cost.

The on-call engineer receives an automated alert and begins working. The incident commander establishes a conference bridge with the development, infrastructure, and security teams. A temporary workaround is attempted by redirecting traffic to a backup instance, but it also fails, likely due to a shared database issue. After 45 minutes of intense troubleshooting, the team identifies a corrupted cache in the session database. They clear the cache, restart the service, and the cart begins working again at 10:50 AM. The total downtime was 50 minutes, costing ShopWave approximately $500,000 in lost sales. The incident is then downgraded to S2 while the team investigates the root cause to prevent future occurrences.

In contrast, later that same day, an employee reports that the company's internal wiki site (used for documentation) is loading slowly. The site is not customer-facing, and it is an internal tool. Only the marketing team is affected, and they can still access it, just slowly. The help desk classifies this as a Severity 3 (Medium) incident. A ticket is created, but the team does not interrupt the engineers still working on the post-incident review for the earlier S1. Instead, the wiki issue is resolved the next day by increasing the server's memory allocation. This scenario shows how incident severity helps teams focus on what truly matters: the critical revenue-impacting problem got immediate attention, while a minor inconvenience waited.

Common Mistakes

Confusing severity with priority and using them interchangeably.

Severity measures the technical impact and urgency of an incident, while priority is a business-driven score that also includes factors like regulatory deadlines and customer importance. They are related but not the same. Using them interchangeably leads to miscommunication in incident reports and escalations.

Always assess severity based on the technical criteria (impact and urgency) first, then let a business process or automated rule assign priority. In exams, remember that severity is about the incident itself, while priority is about the order in which it is handled.

Assigning severity only based on the number of users affected, ignoring data sensitivity or regulatory impact.

A data breach affecting only ten records of personally identifiable information (PII) might be more severe than an outage affecting one thousand users of a non-critical internal tool, because of legal and reputational risks. Severity must incorporate the nature of the affected data and compliance obligations.

When classifying severity, consider the type of data involved (PII, healthcare, financial, intellectual property) and any regulatory requirements (GDPR, HIPAA, PCI-DSS). These factors can elevate severity even if user impact is low.

Failing to re-evaluate severity during an incident, assuming the initial classification is permanent.

Incident details can change: a minor issue may spread, or a workaround might be found, reducing severity. Keeping a static classification can lead to inappropriate resource allocation or delayed escalation. For example, a server performance issue initially classified as S3 might turn into an S1 if it causes a cascading failure.

During an incident, continuously reassess severity based on new information. Use predefined criteria for severity change triggers, such as 'if the workaround fails, escalate severity.' Document all changes for the post-incident review.

Setting severity so that everything is S1 or Critical, leading to 'alert fatigue'.

If every incident is classified as the highest severity, the IT team becomes desensitized. They may start ignoring or overlooking real critical issues because they are buried among hundreds of alerts. This defeats the purpose of prioritization and reduces the effectiveness of the incident response process.

Create clear, objective criteria for each severity level and enforce them. Audit incident classifications regularly to ensure consistency. A high bar for S1 should exist, such as 'complete loss of a revenue-generating service for all customers'.

Ignoring the urgency component and only looking at current impact.

An incident may have low current impact but high urgency because it could rapidly escalate. For example, a compromised test server with no customer data might seem low-severity, but if that server is used as a pivot point for lateral movement in the network, it has high urgency. Waiting to respond could be disastrous.

Always evaluate both impact and urgency. Ask: 'If we do nothing for the next hour, will this incident get much worse?' This future-oriented thinking helps assign appropriate severity and response speed.

Exam Trap — Don't Get Fooled

{"trap":"In exam questions, the term 'severity' is sometimes used in a list along with 'priority' and 'classification,' and the question asks which one is determined first. Many candidates mistakenly choose 'priority' first, thinking it is the overarching concept.","why_learners_choose_it":"Learners often assume that because priority drives the actual ordering of work, it must be determined first.

They also see 'priority' as a more actionable or business-oriented term, so they think it comes before the technical assessment.","how_to_avoid_it":"Remember the correct sequence: first, determine the technical severity based on impact and urgency. Then, based on that severity and business context (such as customer importance, SLA, or regulatory deadlines), assign a priority.

In other words, severity informs priority, not the other way around. In exam questions, if a scenario describes an incident, always assess severity first from a technical standpoint, then think about the business priority for scheduling the fix."

Step-by-Step Breakdown

1

Detection

An incident is detected through monitoring tools (e.g., SIEM, CloudWatch, help desk tickets) or human reports. The system or user logs a reference for the event. This step is crucial because without detection, there is no incident. The detection method can affect how quickly severity is assessed, as automated detections often include preliminary severity estimates.

2

Initial Assessment

The first responder or automated system evaluates the incident to determine its scope and impact. Key questions include: What systems are affected? How many users are impacted? Is any data at risk? Is the problem related to security or availability? This assessment forms the basis for the initial severity classification.

3

Severity Classification

Based on the initial assessment, the incident is assigned a severity level (S1 through S4, or Critical/Low). The classification is guided by organizational policies that define specific criteria for each level. For example, an S1 might require that the core business service is completely unavailable and no workaround exists. This step is documented in the incident record.

4

Escalation and Notification

The severity classification triggers appropriate escalation paths. For S1/S2 incidents, on-call engineers, incident commanders, and management are notified immediately via phone, SMS, or tools like PagerDuty. For lower severities, a ticket is created and routed to the appropriate team during business hours. The severity level determines the speed and breadth of communication.

5

Containment and Mitigation

The incident response team takes immediate action to prevent further damage. This may include isolating affected systems, applying temporary workarounds, blocking malicious IPs, or failing over to a backup. The containment strategy is often dictated by the severity level: S1 incidents require aggressive containment even if it means taking systems offline, while S4 containment might be as simple as moving a user to a different laptop.

6

Investigation and Root Cause Analysis

Once contained, the team investigates the root cause of the incident. This is done in parallel with mitigation for higher severity incidents. The goal is to understand what happened, how to eradicate the problem, and what systemic weaknesses allowed it. The investigation depth depends on severity; S1 incidents get a full forensic analysis, while S3 incidents may only require a quick log review.

7

Eradication and Recovery

The root cause is removed from the environment. This could involve patching software, removing malware, restoring data from backup, or replacing hardware. After eradication, the system is restored to normal operation. The recovery process for S1 is typically accelerated using automated failover or rollback procedures. Lower severities may follow standard change management cycles.

8

Post-Incident Review and Improvement

After the incident is resolved, a review meeting is held to analyze the response. The team evaluates whether the initial severity classification was accurate, if the response times met SLAs, and what could be improved. Findings are documented and used to update incident response procedures, automation rules, and future severity definitions. This step is critical for continuous improvement.

Practical Mini-Lesson

Incident severity is not just a theoretical concept; it is a practical tool that IT professionals use every day to manage their workload and communicate with business stakeholders. In practice, the process of assigning severity often starts with a help desk ticketing system like ServiceNow, Jira Service Management, or Zendesk. These systems allow the help desk to select a severity level when opening a ticket. But the real work happens after the ticket is created. The assignment of severity directly influences how fast a technician will respond, whether the escalation chain is activated, and even whether a security team is pulled into the investigation.

For example, in a typical medium-sized company, the help desk might answer a call from a user who cannot access their email. The technician quickly checks if the problem is isolated to one user or widespread. If only one user is affected, it is likely S3 or S4. But if the technician finds that multiple users in the same department are affected, the severity might be raised to S2. If the entire company cannot access email, the technician immediately escalates to S1, even before fully understanding the root cause, because the business impact is clear.

One of the most important practical aspects of incident severity is its integration with Service Level Agreements (SLAs). Companies often sign contracts with customers or internally between departments that specify response time targets for each severity level. For example, an S1 incident might have a 5-minute first response SLA and a 2-hour resolution SLA. Failing to meet these SLAs can result in financial penalties or damaged reputation. Therefore, IT teams have dashboards and automated reminders to track SLA compliance. If a ticket approaches the SLA breach time, the system automatically triggers notifications to managers.

Another practical application is in security operations centers (SOCs). SOC analysts work with SIEM platforms that generate thousands of alerts per day. Each alert has an initial severity, but human review is essential. A high-severity alert from an IDS might be a false positive, while a medium-severity alert from an endpoint detection system might be a real breach. SOC analysts use their judgment to override the initial severity based on additional context, such as the asset value or the presence of indicators of compromise (IoCs). This is why severity classification must be flexible and allow for human intervention.

What can go wrong? A common problem is 'severity inflation' where teams deliberately assign higher severity to get faster attention, even when the incident does not meet the criteria. This erodes the credibility of the system. Another issue is inconsistent classification across teams. The networking team might consider a router failure as S1 because it affects connectivity, while the security team might consider the same router failure as S2 because there is no data breach. To solve this, organizations create a severity matrix that is agreed upon by all teams and reviewed quarterly. This matrix includes specific examples for each severity level, such as what qualifies as 'complete loss of service' or 'significant user impact'.

For IT certification candidates, understanding these practical nuances is more valuable than memorizing a definition. When you face a scenario question in an exam, think like a professional: ask yourself what the business impact is, how quickly the situation could worsen, and whether there is a workaround. That is the real skill of incident severity classification.

Memory Tip

Think of the emergency room triage 'RED' tag for Severity 1: life-threatening, immediate action needed. Severity is the 'medical' assessment; priority is the 'treatment order'.

Learn This Topic Fully

This glossary page explains what Incident severity means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

What is the difference between incident severity and incident priority?

Incident severity measures the technical impact and urgency of the incident itself, such as how many users are affected or if data is breached. Incident priority is a business-level decision that uses severity as an input but also considers factors like the affected system's business value and regulatory deadlines. In short, severity is about the incident; priority is about how to schedule its resolution.

Can the severity of an incident change over time?

Yes, severity can change as new information emerges or as the incident evolves. For example, an S3 incident might be escalated to S1 if a workaround fails and more users become affected. Continuous reassessment is a best practice to ensure appropriate response.

How many severity levels are typically used?

Most organizations use three to four levels. The most common model is S1 (Critical), S2 (High), S3 (Medium), and S4 (Low). Some use five levels, and others use three (High, Medium, Low). The key is consistency across the organization.

What is the role of automation in incident severity?

Automation can assign initial severity based on predefined rules, such as alert thresholds or number of affected users. It also triggers notifications, creates tickets, and even runs auto-remediation playbooks for known incidents. However, human judgment is still needed to verify and adjust severity when context is complex.

How does incident severity affect SLAs?

SLAs (Service Level Agreements) define specific time commitments for response and resolution based on severity. For example, an S1 incident might require a first response within 5 minutes and resolution within 2 hours, while an S3 incident might have a 24-hour response window. Failing to meet SLAs can lead to penalties.

Is incident severity only used for security incidents?

No, incident severity applies to all types of IT incidents, including hardware failures, software bugs, network outages, performance degradation, and security breaches. It is a general incident management concept, though it is especially emphasized in security contexts.

How do I decide between S1 and S2?

The key difference is usually the availability of a workaround. If there is no workaround and the core service is completely down for all users, it is S1. If a temporary workaround exists that reduces impact, or the outage affects only a subset of users, it is typically S2. Also, if the incident involves data exfiltration or active attack, it is almost always S1.

What is 'severity inflation' and why is it bad?

Severity inflation is when teams assign a higher severity level than the actual criteria warrant, in order to get faster attention. This dilutes the meaning of high severity, leading to alert fatigue where teams ignore or slow down response to truly critical incidents. It undermines the entire incident management system.