Topic-specific policies
ISO/IEC 27035


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27035:2020-2023+ — Information technology — Security techniques — Information security incident management (parts 1-3 published, part 4 DRAFT)

 

Introduction

Information security controls are imperfect in various ways: controls can be overwhelmed or undermined (e.g. by competent hackers, fraudsters or malware), fail in service (e.g. authentication failures), work partially or poorly (e.g. slow anomaly detection), or be more or less completely missing (e.g. not [yet] fully implemented, not [yet] fully operational, or never even conceived due to failures upstream in risk identification and analysis). Consequently, information security incidents are bound to occur to some extent, even in organisations that take their information security extremely seriously.

Managing incidents effectively involves detective and corrective controls designed to recognize and respond to events and incidents, minimize adverse impacts, gather forensic evidence (where applicable) and in due course ‘learn the lessons’ in terms of prompting improvements to the ISMS, typically by improving the preventive controls or other risk treatments.

Information security incidents commonly involve the exploitation of previously unrecognised and/or uncontrolled vulnerabilities, hence vulnerability management (e.g. applying relevant security patches to IT systems and addressing various control weaknesses in operational and management procedures) is part preventive and part corrective action.

The ISO/IEC 27035 standards concern managing information security events, incidents and vulnerabilities, expanding on the information security incident management section of ISO/IEC 27002.

The standards describe a 5-phase process:

  1. Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents;
  2. Identify and report information security incidents;
  3. Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues;
  4. Respond to incidents i.e. contain them, investigate them and resolve them;
  5. Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.

The first edition was published as a single standard in 2011, replacing ISO TR 18044. It was subsequently split into four parts ...

 

ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process (second edition)

  • Abstract: part 1 “is the foundation of the ISO/IEC 27035 series. It presents basic concepts, principles and process with key activities of information security incident management, which provide a structured approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying lessons learned. The guidance on the information security incident management process and its key activities given in this document are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.”
  • Scope & purpose: part 1 outlines the concepts and principles underpinning information security incident management and introduces the remaining part/s of the standard. It describes an information security incident management process consisting of five phases, and says how to improve incident management.
  • Content: incident management is described overall, and then as a process with five phases:
    • Plan and prepare: establish an information security incident management policy, form an Incident Response Team etc.
    • Detect and report: someone has to spot and report “events” that might be or turn into incidents;
    • Assess and decide: someone must assess the situation to determine whether it is in fact an incident;
    • Respond: contain, eradicate, recover from and forensically analyse the incident, where appropriate;
    • Learn lessons: make systematic improvements to the organisation’s management of information risks as a consequence of incidents experienced.
       
  • Annexes give examples of information security incidents and cross-references to the eForensics and ISO/IEC 27001 standards.
  • Status: the first edition of part 1 was published in 2016. Having been revised for ISO/IEC 27002:2022, the second edition was published in 2023.
     

ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (second edition)

  • Abstract: part 2 “provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the plan and prepare and learn lessons phases of the information security incident management phases model presented in [part 1 clauses] 5.2 and 5.6.
  • Scope & purpose: part 2 concerns assurance that the organisation is in fact ready to respond appropriately to information security incidents that may yet occur. It addresses the rhetorical question “Are we ready to respond to an incident?” and promotes learning from incidents to improve things for the future. It covers the Plan and prepare and Learn lessons phases of the process laid out in part 1.
  • Content: nine main clauses:
  • 4. Information security incident management policy

    5. Updating of information security policies

    6. Creating information security incident management plan

    7. Establishing an incident management capability

    8. Establishing internal and external relationships

    9. Defining technical and other support

    10. Creating information security incident awareness and training

    11. Testing the information security incident management plan

    12. Learn lessons

    ... plus annexes with example forms, incident categorization approaches, and notes on ‘legal and regulatory requirements’ (mostly privacy).

  • Status: the first edition of part 2 was published in 2016. Having been revised for ISO/IEC 27002:2022 and with a new clause 8, the second edition was published in 2023.

 

ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations (first edition)

  • Abstract: part 3 “gives guidelines for information security incident  response in ICT security operations. This document does this by firstly  covering the operational aspects in ICT security operations from a  people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations  including information security incident detection, reporting, triage,  analysis, response, containment, eradication, recovery and conclusion ...”
  • Scope & purpose: part 3 concerns ‘security operations’, specifically the organisation and processes necessary for the information security function to prepare for, and respond to, ICT security events and incidents - mostly active, deliberate attacks in fact.
  • Content: section-by-section the standard steps through the core parts of the typical incident response process i.e. incident detection; notification; triage; analysis; containment, eradication and recovery; and reporting.
  • Status: the first edition of part 3 was published in 2020.
  • Comment: the standard’s title contains a commonplace but unexpanded abbreviation: ICT.

 

ISO/IEC 27035-4 — Information technology — Information security incident management — Part 4: Coordination [DRAFT]

  • Abstract: part 4 “provides the guidelines for coordination among IRTs of multiple organizations to work together to handle information security incidents. It also addresses the impacts by working together to the internal incident management of one organization, and provides guidelines for individual IRT to adapt to the coordination process. Furthermore, it provides guidelines for the coordination team, if exists, to perform supporting coordination activities.” [Source: ISO/IEC JTC 1/SC 27 SD11]
  • Scope & purpose: whereas managing routine information security incidents typically involves several departments or teams within an organisation, exceptional/major incidents (such as botnet or phishing attacks) require collaboration and coordination between the Incident Response Teams of several organisations, often in different countries. They may be affected or involved in various ways e.g. Internet and cloud service providers, plus law enforcement, plus the targeted organisation/s.
  • Content: the standard discusses the concept of Coordinated Incident Management and its application throughout the full incident management lifecycle - from response planning to lessons learned - by ‘communities’ (supply chains or networks) with common interests.
  • Nov status update Status: part 4 has been approved by SC 27 at Final Draft International Standard stage and should be published in 2025.

 

Personal comments

In addition to actual events and incidents, we should be systematically exploring and learning from near-misses i.e. situations that thankfully caused little if any impact on the business, such as:

  • An alert worker noticing and reporting a phishing or Business Email Compromise attack;
  • An infection by defective/nonfunctional malware or scareware;
  • A colleague spotting confidential papers left on someone’s office desk after they have gone home, and tidying them away;
  • A manager casually disclosing a commercially-sensitive detail in conversation with a supplier or competitor who appears not to have noticed it;
  • A neighbouring office being ram-raided, burgled, vandalised, burnt or flooded;
  • A competitor, business partner, customer or supplier suffering a noteworthy incident;
  • Any incident from which the organisation successfully recovered e.g. by restoring backups;
  • Incidents that, by sheer good fortune, were trivial (incidental!), and could easily have been much worse e.g. if they had occurred at a different time or day or point in the business cycle, in other circumstances, or if they had not been spotted so soon.

Although, in the absence of significant impacts and with finite resources already stretched by other priorities, it is tempting for management simply to ignore close-shaves and minor incidents, they present opportunities to:

  • Identify and study information risks (threats, vulnerabilities, exposures, impacts ...) that might otherwise have remained unrecognised or ignored;
  • Evaluate the risk management approach, particularly the associated decisions and controls;
  • Tease out and address specific or indeed general weaknesses with the approach, making improvements;
  • Gain assurance on the aspects that worked well, or at least went to plan;
  • Generate case study materials for awareness and training purposes, and information to feed into future risk assessments, including statistics/metrics.

We might not be quite so lucky next time! The aviation industry is a shining example of this approach, with a comprehensive no-blame strategy to identify, report, address and improve as a result of [literal and figurative] near-misses.

Notwithstanding the title, the ISO/IEC 27035 standards specifically concern incidents affecting IT systems and networks although the fundamental principles apply also to incidents affecting other forms of information such as paperwork, knowledge, intellectual property, trade secrets and personal information. Unfortunately (as far as I’m concerned), the language is almost entirely IT-related. That, to me, represents an opportunity squandered: ISO27k covers more than IT/cybersecurity. How are organisations meant to handle incidents such as fraud and piracy where the IT elements are incidental to the business?

Explicitly describing the information risks that the incident management process addresses would enhance this standard, I feel. Since it is literally impossible to detect and respond to every single incident, a proportion of the risk has to be accepted (e.g. ‘low and slow’ attacks fly under the radar, while many hacks and malware attacks involve deliberately evading or neutralising both detective and preventive controls), while some might be shared with third parties (e.g. business partners and insurers) or avoided (e.g. by putting even more emphasis on preventive controls). Also, the response to a major incident may well involve invoking business continuity arrangements, hence this standard should in my opinion integrate with or properly cite ISO 22301 etc.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights