This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.26 Response to information security incidents.
ISO 27001: 2022 Control Description
Information security incidents shall be responded to in accordance with the documented procedures.
Purpose
To ensure efficient and effective response to information security incidents.
Guidance on implementation
The organisation should establish and communicate procedures on information security incident
response to all relevant interested parties.
Information security incidents should be responded to by a designated team with the required
competency (see A.5.24).
The incident response should:
a) outline the systems affected by the incident;
b) include evidence (see A.5.28) as soon as possible after the occurrence;
c) follow the escalation procedures as outlined in business continuity plans (see A.5.29 and A.5.30);
d) ensure that all involved response activities are properly logged for later analysis;
e) communicate the existence of the information security incident or any relevant details thereof to all relevant internal and external interested parties following the need-to-know principle;
f) coordinate with internal and external parties such as authorities, external interest groups and
forums, suppliers and clients to improve response effectiveness and help to minimise consequences for other organisations;
g) once the incident has been successfully addressed, follow procedure to formally close and record it;
h) conduct information security forensic analysis, as required (see A.5.28);
i) include post-incident analysis to identify root cause. Ensure it is documented and communicated according to defined procedures (see A.5.27);
j) identify and manage information security vulnerabilities and weaknesses including those
related to controls which have caused, contributed to or failed to prevent the incident.