ObjectStackIncident Response
Incident Response protocol schemas
Incident Response Protocol — ISO 27001:2022 (A.5.24–A.5.28)
Defines schemas for information security event management including
incident classification, severity grading, response procedures,
and notification matrices.
@see https://www.iso.org/standard/27001
@category Security
Source: packages/spec/src/system/incident-response.zod.ts
TypeScript Usage
import { Incident, IncidentCategory, IncidentNotificationMatrix, IncidentNotificationRule, IncidentResponsePhase, IncidentResponsePolicy, IncidentSeverity, IncidentStatus } from '@objectstack/spec/system';
import type { Incident, IncidentCategory, IncidentNotificationMatrix, IncidentNotificationRule, IncidentResponsePhase, IncidentResponsePolicy, IncidentSeverity, IncidentStatus } from '@objectstack/spec/system';
// Validate data
const result = Incident.parse(data);Incident
Security incident record per ISO 27001:2022 A.5.24–A.5.28
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| id | string | ✅ | Unique incident identifier |
| title | string | ✅ | Incident title |
| description | string | ✅ | Detailed incident description |
| severity | Enum<'critical' | 'high' | 'medium' | 'low'> | ✅ | Incident severity level |
| category | Enum<'data_breach' | 'malware' | 'unauthorized_access' | 'denial_of_service' | 'social_engineering' | 'insider_threat' | 'physical_security' | 'configuration_error' | 'vulnerability_exploit' | 'policy_violation' | 'other'> | ✅ | Incident category |
| status | Enum<'reported' | 'triaged' | 'investigating' | 'containing' | 'eradicating' | 'recovering' | 'resolved' | 'closed'> | ✅ | Current incident status |
| reportedBy | string | ✅ | Reporter user ID or system name |
| reportedAt | number | ✅ | Report timestamp |
| detectedAt | number | optional | Detection timestamp |
| resolvedAt | number | optional | Resolution timestamp |
| affectedSystems | string[] | ✅ | Affected systems |
| affectedDataClassifications | Enum<'pii' | 'phi' | 'pci' | 'financial' | 'confidential' | 'internal' | 'public'>[] | optional | Affected data classifications |
| responsePhases | Object[] | optional | Incident response phases |
| rootCause | string | optional | Root cause analysis |
| correctiveActions | string[] | optional | Corrective actions taken or planned |
| lessonsLearned | string | optional | Lessons learned from the incident |
| relatedChangeRequestIds | string[] | optional | Related change request IDs |
| metadata | Record<string, any> | optional | Custom metadata key-value pairs |
IncidentCategory
Allowed Values
data_breachmalwareunauthorized_accessdenial_of_servicesocial_engineeringinsider_threatphysical_securityconfiguration_errorvulnerability_exploitpolicy_violationother
IncidentNotificationMatrix
Incident notification matrix with escalation policies
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| rules | Object[] | ✅ | Notification rules by severity level |
| escalationTimeoutMinutes | number | ✅ | Auto-escalation timeout in minutes |
| escalationChain | string[] | ✅ | Ordered escalation chain of roles |
IncidentNotificationRule
Incident notification rule per severity level
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| severity | Enum<'critical' | 'high' | 'medium' | 'low'> | ✅ | Minimum severity to trigger notification |
| channels | Enum<'email' | 'sms' | 'slack' | 'pagerduty' | 'webhook'>[] | ✅ | Notification channels |
| recipients | string[] | ✅ | Roles or teams to notify |
| withinMinutes | number | ✅ | Notification deadline in minutes from detection |
| notifyRegulators | boolean | ✅ | Whether to notify regulatory authorities |
| regulatorDeadlineHours | number | optional | Regulatory notification deadline in hours |
IncidentResponsePhase
Incident response phase with timing and assignment
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| phase | Enum<'identification' | 'containment' | 'eradication' | 'recovery' | 'lessons_learned'> | ✅ | Response phase name |
| description | string | ✅ | Phase description and objectives |
| assignedTo | string | ✅ | Responsible team or role |
| targetHours | number | ✅ | Target completion time in hours |
| completedAt | number | optional | Actual completion timestamp |
| notes | string | optional | Phase notes and findings |
IncidentResponsePolicy
Organization-level incident response policy per ISO 27001:2022
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| enabled | boolean | ✅ | Enable incident response management |
| notificationMatrix | Object | ✅ | Notification and escalation matrix |
| defaultResponseTeam | string | ✅ | Default incident response team or role |
| triageDeadlineHours | number | ✅ | Maximum hours to begin triage after detection |
| requirePostIncidentReview | boolean | ✅ | Require post-incident review for all incidents |
| regulatoryNotificationThreshold | Enum<'critical' | 'high' | 'medium' | 'low'> | ✅ | Minimum severity requiring regulatory notification |
| retentionDays | number | ✅ | Incident record retention period in days (default ~7 years) |
IncidentSeverity
Allowed Values
criticalhighmediumlow
IncidentStatus
Allowed Values
reportedtriagedinvestigatingcontainingeradicatingrecoveringresolvedclosed