A severity matrix assigns security incidents to a severity level (e.g. low, medium, high, critical) based on defined criteria. Criteria may include the number of affected records, the type of data involved, the duration of the incident, and regulatory implications. You use the matrix to set response times and escalation paths. In an ISMS it is part of the incident-response plan and ensures critical incidents receive priority treatment. The matrix is agreed upon with senior management and revised regularly.