1. Framework FAQs

ISO 27001: 2022 A.5.24 Information security incident management planning and preparation

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.24 Information security incident management planning and preparation.

ISO 27001: 2022 Control Description

The organisation shall plan and prepare for managing information secu rity incidents by defining, establishing and communicating information  security incident management processes, roles and responsibilities.

Purpose

To ensure a quick, effective, consistent, and orderly response to information security incidents, including communication regarding information security events.

Guidance on implementation

The organisation should establish appropriate information security incident management processes. Roles and responsibilities for carrying out the incident management procedures should be determined and effectively communicated to the relevant internal and external interested parties.

The following should be considered:

a) Establishing a common method for reporting information security events, including a point of contact;

b) Establishing an incident management process to provide the organisation with the capability for managing information security incidents, including administration, documentation, detection, triage, prioritisation, analysis, communication, and coordination of interested parties;

c) Establishing an incident response process to provide the organisation with the capability for assessing, responding to, and learning from information security incidents;

d) Ensuring that only competent personnel handle issues related to information security incidents within the organisation. Such personnel should be provided with procedural documentation and periodic training;

e) Establishing a process to identify required training, certification, and ongoing professional development for incident response personnel.

Incident Management Procedures

The objectives for information security incident management should be agreed upon with management, and it should be ensured that those responsible for information security incident management understand the organisation’s priorities for handling incidents, including resolution timeframes based on potential consequences and severity. Incident management procedures should be implemented to meet these objectives and priorities.

Management should ensure that an information security incident management plan is created, considering different scenarios, and procedures are developed and implemented for the following activities:

a) Evaluating information security events according to criteria for what constitutes an information security incident;

b) Monitoring, detecting, classifying, analysing, and reporting of information security events and incidents (by human or automatic means);

c) Managing information security incidents to conclusion, including response and escalation according to the type and category of the incident, possible activation of crisis management and continuity plans, controlled recovery from an incident, and communication with internal and external interested parties;

d) Coordinating with internal and external interested parties such as authorities, external interest groups and forums, suppliers, and clients;

e) Logging incident management activities;

f) Handling of evidence;

g) Conducting root cause analysis or post-mortem procedures;

h) Identifying lessons learned and any improvements to the incident management procedures or information security controls in general that are required.

Reporting Procedures

Reporting procedures should include:

a) Actions to be taken in the case of an information security event (e.g. noting all pertinent details immediately such as malfunctions occurring and messages on-screen, immediately reporting to the point of contact, and only taking coordinated actions); \b) Use of incident forms to support personnel in performing all necessary actions when reporting information security incidents;

c) Suitable feedback processes to ensure that those reporting information security events are notified, to the extent possible, of outcomes after the issue has been addressed and closed;

d) Creation of incident reports.

Any external requirements for reporting incidents to relevant interested parties within the defined timeframe (e.g. breach notification requirements to regulators) should be considered when implementing incident management procedures.

Information security incidents can transcend organisational and national boundaries. To respond to such incidents, it is beneficial to coordinate responses and share information about these incidents with external organisations as appropriate.