ISO/IEC 27035:2016 Information technology — Security techniques — Information security incident management
Information security controls are imperfect in various ways: controls can be overwhelmed or undermined (e.g. by competent hackers, fraudsters or malware), fail in service (e.g. authentication failures), work partially or poorly (e.g. slow anomaly detection), or be more or less completely missing (e.g. not [yet] fully implemented, not [yet] fully operational, or never even conceived due to failures upstream in risk identification and analysis). Consequently, information security incidents are bound to occur to some extent, even in organizations that take their information security extremely seriously.
Managing incidents effectively involves detective and corrective controls designed to recognize and respond to events and incidents, minimize adverse impacts, gather forensic evidence (where applicable) and in due course ‘learn the lessons’ in terms of prompting improvements to the ISMS, typically by improving the preventive controls or other risk treatments.
Information security incidents commonly involve the exploitation of previously unrecognised and/or uncontrolled vulnerabilities, hence vulnerability management (e.g. applying relevant security patches to IT systems and addressing various control weaknesses in operational and management procedures) is part preventive and part corrective action.
Scope and purpose
The standard covers the processes for managing information security events, incidents and vulnerabilities.
The standard expands on the information security incident management section of ISO/IEC 27002. [The 2016 version cross-references that section and explain its relationship to the ISO27k eForensics standards.]
Structure and content
The standard lays out a process with 5 key stages:
- Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents;
- Identify and report information security incidents;
- Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues;
- Respond to incidents i.e. contain them, investigate them and resolve them;
- Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.
The standard provides template reporting forms for information security events, incidents and vulnerabilities.
Status of the standard
ISO/IEC 27035 replaced ISO TR 18044. It was published in 2011, then revised and split into three parts.
ISO/IEC 27035-1:2016 Principles of incident management
Scope & purpose: part 1 outlines the concepts and principles underpinning information security incident management and introduces the remaining part/s of the standard. It describes an information security incident management process consisting of five phases, and says how to improve incident management.
Content: the incident management process is described in five phases closely corresponding to the five phases in the first edition:
- Plan and prepare: establish an information security incident management policy, form an Incident Response Team etc.
- Detection and reporting: someone has to spot and report “events” that might be or turn into incidents;
- Assessment and decision: someone must assess the situation to determine whether it is in fact an incident;
- Responses: contain, eradicate, recover from and forensically analyze the incident, where appropriate;
- Lessons learned: make systematic improvements to the organization’s management of information risks as a consequence of incidents experienced.
Annexes give examples of information security incidents and cross-references to the eForensics and ISO/IEC 27001 standards.
Status: part 1 was published in 2016.
Note: some terms differ in the 27035 standards from the definitions stated in ISO/IEC 27000, so be sure to check the definitions carefully if you use this standard.
ISO/IEC 27035-2:2016 Guidelines to plan and prepare for incident response
Scope & purpose: part 2 concerns assurance that the organization is in fact ready to respond appropriately to information security incidents that may yet occur. It addresses the rhetorical question “Are we ready to respond to an incident?” and promotes learning from incidents to improve things for the future. It covers the Plan and Prepare and Lessons Learned€ phases of the process laid out in part 1.
Content: after the usual preamble sections come 8 main clauses:
- Establishing information security incident management policy
- Updating of information security and risk management policies
- Creating information security incident management plan
- Establishing an Incident Response Team (IRT) [aka CERT or CSIRT]
- Defining technical and other support
- Creating information security incident awareness and training
- Testing (or rather exercising) the information security incident management plan
- Lesson learnt
... plus annexes with incident categorization examples, and notes on ‘legal and regulatory aspects’ (mostly privacy in practice).
Status: part 2 was published in 2016.
ISO/IEC 27035-3: incident response within ICT security operations (draft)
Scope & purpose: guidance on managing and responding efficiently to information security incidents.
Content: the initial draft concerns ‘security operations’, specifically the organization and processes necessary to prepare for and respond to incidents.
Status: a skeletal initial draft of part 3 is available to members of SC27.
Notwithstanding the title, the 27035 standards actually concern incidents affecting IT systems and networks although the underlying principles apply also to incidents affecting other forms of information such as paperwork, knowledge, intellectual property, trade secrets and personal information. Unfortunately (as far as I’m concerned), the language is almost entirely IT or ICT related. That, to me, represents yet another opportunity squandered: an ISO27k ISMS includes but goes beyond ‘cyber-security’.
I still don’t understand why this standard was split into three: the separate parts are of little value as discrete standards, divorced from the whole. The poor old customers (hey, remember them?) are presumably expected to buy, reconcile and apply three discrete standards instead of one.