ISO/IEC 27035
Go home
QCC: sponsor of this page

ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management

Introduction

Information security controls are imperfect in various ways: controls can fail, work partially, or be completely missing (e.g. not implemented or not operational).  Consequently, incidents are bound to happen since preventive controls are not totally reliable and effective. 

Managing incidents effectively involves detective and corrective controls designed to minimize adverse impacts, gather forensic evidence (where applicable) and ‘learn the lessons’ in terms of prompting improvements to the ISMS, especially the implementation of more effective preventive controls.

Information security incidents commonly involve the exploitation of previously unrecognised and/or uncontrolled vulnerabilities, hence vulnerability management (e.g. applying relevant security patches to IT systems and addressing control weaknesses in procedures) is part preventive and part corrective action.

Scope

ISO/IEC 27035 lays out a structured and planned approach to:

    (a) detect, report and assess information security incidents;

    (b) respond to and manage information security incidents;

    (c) detect, assess and manage information security vulnerabilities; and

    (d) continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities.

Note that the standard includes vulnerability management as well as incident management.

Content

The process is essentially:

  1. Plan and prepare to deal with incidents
  2. Detect/identify and report incidents
  3. Assess incidents and make decisions
  4. Respond to incidents (meaning contain them, investigate them and resolve them)
  5. Learn the lessons

The following diagram is not taken from the standard, but shows the component parts of a typical full-scope incident management process:

Generic incident mgmt process

The standard provides template reporting forms for events, incidents and vulnerabilities.

Latest available status info

This project used ISO/IEC’s accelerated procedure to upgrade ISO TR 18044 to the status of a full international standard, with only relatively minor changes to fit into the ISO27k set.  According to the ISO/IEC JTC1/SC27 secretariat, “ISO/IEC 27035:2011-09-01 (1st edition) cancels and replaces ISO/IEC TR 18044-2004-10-15 (1st edition)”.

Copyright © 2012 IsecT Ltd.