1. Framework FAQs

ISO 27001: 2022 A.5.27 Learning from information security incidents

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.27 Learning from information security incidents.

ISO 27001: 2022 Control Description

Knowledge gained from information security incidents shall be used to strengthen and improve information security controls.

Purpose

To reduce the likelihood or impact of future incidents.

Guidance on implementation

The organisation should establish procedures to quantify and monitor the types, volumes, and costs of information security incidents.

The information gained from the evaluation of information security incidents should be used to:

a) enhance the incident management plan, including incident scenarios and procedures;

b) identify recurring or serious incidents and their causes to update the organisation’s information security risk assessment and to determine and implement necessary additional controls to reduce the likelihood or impact of future similar incidents. Mechanisms to facilitate this include collecting, quantifying, and monitoring information about incident types, volumes, and costs;

c) enhance user awareness and training by providing examples of what can happen and how to respond effectively.