In the ACN baseline incident model, IS-1 refers to a case where the entity has evidence of confidentiality loss involving digital data under its ownership or control. For operations teams, the key is to recognize the event pattern quickly, preserve evidence, and activate escalation/notification workflow without delay.
Sources: ACN baseline reading guide, ACN baseline obligations determination
Key takeaways
- IS-1 is linked to confidentiality loss scenarios.
- Notification obligations are tied to evidence of incident occurrence.
- The affected object is digital data in the entity’s ownership/control perimeter.
- Classification should be performed through the official typology model (condition, compromise, object).
Sources: ACN baseline reading guide
IS-1 qualification model
1. Condition
The organization has evidence that a relevant incident occurred.
2. Compromise pattern
The compromise corresponds to confidentiality loss (including external exposure scenarios described in official guidance).
3. Object of compromise
The impacted object is digital data owned by the entity or data over which it exercises full or partial control.
Sources: ACN baseline reading guide, ACN baseline obligations determination
Operational handling steps for IS-1
| Step | Control question | Expected output |
|---|---|---|
| Evidence capture | Do we have objective evidence of confidentiality loss? | Evidence record with timestamp |
| Scope definition | Which data sets are involved and under what control model? | Data-impact scope statement |
| Escalation | Does the event meet significant-incident criteria? | Escalation decision record |
| Notification readiness | Are required facts prepared for authority workflow? | Structured incident brief |
Sources: ACN baseline reading guide
90-day implementation checklist
- Add IS-1 pattern checks to SOC/CSIRT triage forms.
- Standardize evidence requirements for confidentiality-loss events.
- Define data-impact mapping procedure for owned/controlled digital data.
- Run tabletop scenarios focused on external confidentiality compromise.
- Maintain traceability from IS-1 classification to escalation decision.
FAQ
Is every data leak automatically IS-1?
Classification depends on official IS-1 model criteria and documented incident evidence. Details are defined in the official call documentation. Source: ACN baseline reading guide
What starts timing for related obligations?
Timing is linked to the point where the entity has evidence of the significant incident, as defined in official guidance. Source: ACN baseline reading guide
Which data perimeter is relevant for IS-1?
Digital data owned by the entity or data under its control perimeter, according to the baseline definitions. Source: ACN baseline reading guide