< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27035:2016+ — Information technology — Security techniques — Information security incident management (parts 1 -3 published, part 4 DRAFT)
Information security controls are imperfect in various ways: controls can be overwhelmed or undermined (e.g. by competent hackers, fraudsters or malware), fail in service (e.g. authentication failures), work partially or poorly (e.g. slow anomaly detection), or be more or less completely missing (e.g. not [yet] fully implemented, not [yet] fully operational, or never even conceived due to failures upstream in risk identification and analysis). Consequently, information security incidents are bound to occur to some extent, even in organizations that take their information security extremely seriously.
Managing incidents effectively involves detective and corrective controls designed to recognize and respond to events and incidents, minimize adverse impacts, gather forensic evidence (where applicable) and in due course ‘learn the lessons’ in terms of prompting improvements to the ISMS, typically by improving the preventive controls or other risk treatments.
Information security incidents commonly involve the exploitation of previously unrecognised and/or uncontrolled vulnerabilities, hence vulnerability management (e.g. applying relevant security patches to IT systems and addressing various control weaknesses in operational and management procedures) is part preventive and part corrective action.
Scope and purpose
The standard covers the processes for managing information security events, incidents and vulnerabilities.
The standard expands on the information security incident management section of ISO/IEC 27002. It cross-references that section and explain its relationship to the ISO27k eForensics standards.
Structure and content
The standard lays out a process with 5 key stages:
- Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents;
- Identify and report information security incidents;
- Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues;
- Respond to incidents i.e. contain them, investigate them and resolve them;
- Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.
The standard provides template reporting forms for information security events, incidents and vulnerabilities.
Note: some terms are defined differently in the 27035 standards from those in ISO/IEC 27000, so be sure to check the applicable definitions carefully if you use this standard.
Status of the standard
ISO/IEC 27035 replaced ISO TR 18044. It was first published in 2011 as a single standard then revised and split, initially into three parts and then four ...
ISO/IEC 27035-1:2016 — Information technology — Security techniques — Information security incident management — Part 1: Principles of incident management
- Abstract: “Presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.” [Source: SC27 Standing Document 11 (2021)]
- Scope & purpose: part 1 outlines the concepts and principles underpinning information security incident management and introduces the remaining part/s of the standard. It describes an information security incident management process consisting of five phases, and says how to improve incident management.
- Content: the incident management process is described in five phases closely corresponding to the five phases in ISO/IEC 27035:2011 ...
- Plan and prepare: establish an information security incident management policy, form an Incident Response Team etc.
- Detection and reporting: someone has to spot and report “events” that might be or turn into incidents;
- Assessment and decision: someone must assess the situation to determine whether it is in fact an incident;
- Responses: contain, eradicate, recover from and forensically analyze the incident, where appropriate;
- Lessons learnt: make systematic improvements to the organization’s management of information risks as a consequence of incidents experienced.
- Annexes give examples of information security incidents and cross-references to the eForensics and ISO/IEC 27001 standards.
- Status: part 1 was published in 2016. Part 1 is now being revised to catch up with the ongoing revision of ISO/IEC 27002. The revision is at 2nd Committee Draft stage. The title will become “Information technology - Information security incident management - Part 1: Principles and process”. It is due to be published in mid-2023.
- The next version will [probably] have just two main sections: overview and process. Some of the current part 1 content may be transferred to other parts of ‘27035. The revised part 1 may cover:
- Incident management framework - an overall conceptual structure
- Crisis management in the immediate aftermath of a serious incident
- A point of contact to liaise, inform and assist with coordinating activities
ISO/IEC 27035-2:2016 — Information technology — Security techniques — Information security incident management — Part 2: Guidelines to plan and prepare for incident response
- Abstract: “Provides the guidelines to plan and prepare for incident response, and lessons learned from incident response. The guidelines are based on the "Plan and Prepare" phase and the "Lessons Learned" phase of the "Information security incident management phases" model presented in Part 1.” [Source: SC27 Standing Document 11 (2021)]
- Scope & purpose: this part concerns assurance that the organization is in fact ready to respond appropriately to information security incidents that may yet occur. It addresses the rhetorical question “Are we ready to respond to an incident?” and promotes learning from incidents to improve things for the future. It covers the Plan and Prepare and Lessons Learned phases of the process laid out in part 1 - the start and end.
- Content: 8 main clauses:
4. Establishing information security incident management policy
5. Updating of information security and risk management policies
6. Creating information security incident management plan
7. Establishing an Incident Response Team [a.k.a. CERT, CSIRT etc.]
8. Defining technical and other support
9. Creating information security incident awareness and training
10. Testing (or rather exercising) the information security incident management plan
11. Lesson learnt
... plus annexes with incident categorization examples, and notes on ‘legal and regulatory aspects’ (mostly privacy in practice).
- Status: part 2 was published in 2016. Part 2 is now being revised to align with the imminent new version of ISO/IEC 27002. The revision is at 2nd Committee Draft stage. It is due to be published in mid-2023, with a new section on “Establishing internal and external relationships” and a shorter title omitting “Security techniques”.
ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations
- Abstract: “Includes staff responsibilities and operational incident response activities across the organization. Particular focus is given to the incident response team activities including monitoring, detection, analysis, and response activities for the collected data or security events.” [Source: SC27 Standing Document 11 (2021)]
- Scope & purpose: this part concerns ‘security operations’, specifically the organization and processes necessary for the information security function to prepare for and respond to ICT security events and incidents - mostly active, deliberate attacks in fact. The scope reads (in part):
“This document provides the guidelines for ICT incident response operations. This document is not concerned with non-ICT incident response operations such as loss of paper-based documents. The guidelines are based on the “Detection and Reporting” phase, the ”Assessment and Decision€” phase and the ”Responses” phase of the ”Information security incident management phases” model presented in ISO/IEC 27035-1:2016.”
- Content: section-by-section the standard steps through the core parts of the typical incident response process i.e. incident detection; notification; triage; analysis; containment, eradication and recovery; and reporting.
- Status: part 3 was published in 2020. Unusually (and possibly in contravention of ISO directives?), the official title includes an abbreviation.
ISO/IEC 27035-4 — Information technology — Information security incident management — Part 4: Coordination (DRAFT)
- Abstract: “This part of ISO/IEC 27035 provides the guidelines for coordination among IRTs of multiple organizations to work together to handle information security incidents. It also addresses the impacts by working together to the internal incident management of one organization, and provides guidelines for individual IRT to adapt to the coordination process. Furthermore, it provides guidelines for the coordination team, if exists, to perform supporting coordination activities.” [Source: SC27 Standing Document 11 (2021)]
- Scope & purpose: managing major incidents usually involves coordinating responses between the Incident Response Teams of several organizations affected or involved in various ways.
- Content: the standard discusses the concept of Coordinated Incident Management and its application throughout the full incident management lifecycle - from response planning to lessons learned - by ‘communities’ (supply chains or networks) with common interests.
- Status: the project developing part 4 was initiated in 2020 and is at Working Draft stage. Part 4 is due to be published in 2024.
Notwithstanding the title, the ISO/IEC 27035 standards specifically concern incidents affecting IT systems and networks although the fundamental principles apply also to incidents affecting other forms of information such as paperwork, knowledge, intellectual property, trade secrets and personal information. Unfortunately (as far as I’m concerned), the language is almost entirely IT-related. That, to me, represents yet another opportunity squandered: ISO27k covers more than IT/cybersecurity. How are organizations meant to handle incidents such as fraud and piracy where the IT elements are incidental to the business?
This is yet another ISO27k standard that would benefit from an explicit description of the information risks being addressed through the incident management process. Since it is literally impossible to detect and respond to every single incident, a proportion of the risk has to be accepted (e.g. ‘low and slow’ attacks fly under the radar, while many hacks and malware attacks involve deliberately evading or neutralising detective as well as preventive controls), while some might be shared with third parties (e.g. business partners and insurers) or avoided (e.g. by putting even more emphasis on preventive controls). Also, the response to a major incident may well involve invoking business continuity arrangements, hence this standard should in my opinion integrate with ISO 22301 etc.
< Previous standard ^ Up a level ^ Next standard >