Security Incident Management according to ISO 27035

The ISO 27001:2013 describes the Security Incident Management in Domain A.16 - Information security incident management of Annex A.

The objective is described as "To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses."

The international standard IEC 27035 was initially published as ISO/IEC TR 18044. It was decided later by ISO that it fits into so-called "27000" group of international standards hence in year 2011 the ISO 27035 was released. In the year 2016 ISO/IEC 27035 was revised and renumbered.

Lately, in 2016 it was divided into three parts:

• Principles of incident management (ISO/IEC 27035-1);
• Guidelines to plan and prepare for incident response (ISO/IEC 27035-2);
• Guidelines for incident response operations (ISO/IEC 27035-3).

A new version has been released in 2023. 

The full name of 2016 version is Information technology — Security techniques — Information security incident management

ISO/IEC 27035-1, Principles of incident management, presents basic concepts and phases of information security incident management, and how to improve incident management. This part combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.

The first part of ISO/IEC 27035 reviews the principles of security incident management. The incident response team is named IRT in ISO/IEC 27035 (Incident Response Team). The definition of the IRT says it is a “team of appropriately skilled and trusted members of the organization”. It is worth noting that the word “trusted” is used here. It is important to remember (and use) this definition because incident response team members often handle sensitive information and sensitive events. So they should not only be skilled and trained. They also need to be trusted to act appropriately in sensitive situations.

ISO 27035 describes "An information security event is an occurrence indicating a possible breach of information security or failure of controls. An information security incident is one or multiple related and identified information security events that meet established criteria and can harm an organization’s assets or compromise its operations."

The occurrence of an information security event does not necessarily mean that an attack has been successful or that there are any implications on confidentiality, integrity or availability, i.e., not all information security events are classified as information security incidents.

ISO/IEC 27035-1 lists the following objectives of planned and structured incident management:

1. effective detection of information security events;
2. appropriate assessment of such events in the most appropriate and efficient manner;
3. efficient incident response;
4. minimization of adverse effects of incidents on business operations;
5. establish the link with crisis management and business continuity management
6. supportive vulnerability management;
7. learning lessons from incidents.

To help achieve these objectives, organizations should ensure that information security incidents are documented in a consistent manner, using appropriate standards for incident categorization, classification, and sharing, so that metrics can be derived from aggregated data over a period of time.Another objective associated with this part of ISO/IEC 27035 is to provide guidance to organizations that aim to meet the Information Security Management System (ISMS) requirements specified in ISO/IEC 27001 which are supported by guidance from ISO/IEC 27002.

ISO 27035 also explains benefits of the given structured approach. Using a structured approach to information security incident management can yield significant benefits.

These are:

• improving information security;
• reducing business impacts;
• strengthening focus on prevention of incidents in future;
• improving prioritization of actions;
• improving the quality of evidence collection and investigation;
• contributing to budget and resource justification;
• improving ITIS risk management - Risk assessment and treatment;
• improving security awareness and enhance raining program;
• improving security policies and procedures by providing inputs during documentation reviews.

ISO 27035 then describes the phases of Incident Management. Information security incident management consists of the following five distinct phases:

• — Plan and Prepare;
• — Detection and Reporting;
• — Assessment and Decision;
• — Responses;
• — Lessons Learnt.

Some activities can occur in multiple phases or throughout the incident handling process.

Plan and Prepare

For the incident management to be effective appropriate planning and preparation is required. Some requirements are

• A formal incident management policy should be drafted, published and communicated.
• All other policies to be updated to include incident management.
• A detailed incident management plan to be defined
• An IRT to be established and trained.
• Establish relationships with all internal & external stakeholders.
• Test the Information Security Incident Management Plan

Detection and Reporting

In this phase, events and vulnerabilities might not yet be classified as information security incidents. All data collected should be managed by IRT. Some activities in this phase are

• Log Monitoring
• Vulnerability Management
• Event detection and reporting
• Information collection on security events
• Evidence gathering and secure storage
• Follow escalation if required.

Assessment and Decision

Does the Security Event qualify as a Security Incident? Assess information associated with occurrences of information security events and decide on whether to classify events as information security incidents. All data collected should be managed by IRT. Some activities in this phase are

• Detailed information gathering include testing, measuring, and other data gathering about the detection of an information security event.
• Detailed assessment to determine if event qualifies as an Information Security incident or a false positive.
• Arrive at Responses to be used as subsequent actions.
• Damage Assessment
• Logging of all activities by IRT
• Follow change management.
• Responsibility distribution for activities within IRT.

Responses

The security incidents should be responded in accordance with documented procedures as determined in previous step. Responses are time-dependent. All data collected should be managed by IRT. Some activities in this phase are

• Investigation of incidents as required with deep analysis.
• Determination to see if the incident is in control,
• Assign resources and escalate if required.
• Invoke Crisis Management if required
• Logging of all activities by IRT
• Evidence gathering and storage
• Information Sharing with all stakeholders
• Reporting

Lessons Learnt

This step happens after the resolution of the incident. Some activities in this phase are