An escalation matrix is a table that defines who must be notified and involved at each severity level of a security incident. Escalation levels establish the notification hierarchy — from the IT department through the Information Security Officer to top management and external parties.
A clear escalation matrix prevents critical incidents from being handled too long at the wrong level. It typically contains severity categories, responsible contacts with contact details, response times, and communication channels. ISO 27001 requires documented procedures for managing information security incidents (A.5.24–A.5.28). The escalation matrix is the central tool for operationally implementing this requirement.