In the ACN baseline model, IS-3 covers incidents where the entity has evidence of expected service-level violation. Unlike IS-1 and IS-2, the affected object in IS-3 is the entity’s services or activities, not digital data as a primary object.
Sources: ACN baseline reading guide, ACN baseline obligations determination
Key takeaways
- IS-3 addresses service-impact scenarios based on expected service levels.
- Qualification starts from evidence of incident occurrence.
- Compromise is linked to service-level violation against defined expectations.
- The affected object is service/activity continuity and performance.
Sources: ACN baseline reading guide
IS-3 qualification model
1. Condition
The organization has evidence that a relevant incident occurred.
2. Compromise pattern
The compromise corresponds to violation of expected service levels defined by the entity’s baseline model.
3. Object of compromise
The compromised object is the services and/or activities provided by the NIS entity.
Sources: ACN baseline reading guide, ACN baseline obligations determination
Operational handling steps for IS-3
| Step | Control question | Expected output |
|---|---|---|
| Evidence checkpoint | Do we have objective evidence of service-level breach? | Timestamped evidence log |
| Service impact mapping | Which services/activities are below expected levels? | Service-impact statement |
| Escalation decision | Does this meet significant-incident criteria? | Escalation and ownership decision |
| Notification readiness | Are impact facts and timeline structured for reporting? | Structured incident brief |
Sources: ACN baseline reading guide
90-day implementation checklist
- Define and maintain expected service-level references used for IS-3 qualification.
- Align monitoring and triage workflows to capture service-level breach evidence.
- Standardize impact analysis templates for service/activity degradation.
- Run crisis simulations focused on service-level violation scenarios.
- Keep traceable records linking IS-3 qualification to escalation outcomes.
FAQ
Is every service disruption automatically IS-3?
No. Qualification depends on official IS-3 typology criteria and documented incident evidence. Source: ACN baseline reading guide
What is the key differentiator from IS-1/IS-2?
IS-3 centers on service/activity impact and expected service-level violation, while IS-1/IS-2 primarily concern data compromise patterns. Source: ACN baseline reading guide
When does timing start for related obligations?
Timing references are tied to the point when the entity has evidence of the significant incident, as defined in official guidance. Source: ACN baseline reading guide