ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management
Information security controls are imperfect in various ways: controls can fail, work partially, or be completely missing (e.g. not implemented or not operational). Consequently, incidents are bound to happen since preventive controls are not totally reliable and effective.
Managing incidents effectively involves detective and corrective controls designed to minimize adverse impacts, gather forensic evidence (where applicable) and ‘learn the lessons’ in terms of prompting improvements to the ISMS, especially the implementation of more effective preventive controls.
Information security incidents commonly involve the exploitation of previously unrecognised and/or uncontrolled vulnerabilities, hence vulnerability management (e.g. applying relevant security patches to IT systems and addressing control weaknesses in procedures) is part preventive and part corrective action.
Scope and purpose
ISO/IEC 27035 covers the processes for managing information security events, incidents and vulnerabilities.
Structure and content
The standard lays out a process with 5 key stages:
Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents;
Identify and report information security incidents;
Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues;
Respond to incidents i.e. contain them, investigate them and resolve them;
Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.
The standard provides template reporting forms for information security events, incidents and vulnerabilities.
Status of the standard
Using ISO/IEC’s accelerated procedure, ISO/IEC 27035 upgraded and replaced ISO TR 18044. It was published in 2011 and is available for CHF184 from the ISO/IEC webstore.
A project is now under way to revise and extend the published ISO/IEC 27035, splitting it into three parts. The scope of the three parts has been agreed by the editorial team. The possibility of introducing a fourth part to the standard concerning the categorization and classification of information security incidents has been discussed at length by the committee: it was resolved to progress the three-part structure, covering this issue in an annex to one of those three parts.
ISO/IEC 27035-1: principles of incident management (draft)
Scope & purpose: part 1 will introduce and outline the remaining two parts.
Content: the incident management process is currently described in five phases:
Plan and prepare: establish an information security incident management policy, form an Incident Response Team etc.
Detection and reporting: someone has to spot and report “events” that might be or turn into incidents;
Assessment and decision: someone must assess the situation to determine whether it is in fact an incident;
Responses: contain, eradicate, recover from and forensically analyze the incident, where appropriate;
Lessons learnt: make systematic improvements to the organization’s management of information security risks as a consequence of incidents experienced.
Status: working draft.
ISO/IEC 27035-2: guidelines to plan and prepare for incident response (draft)
Scope & purpose: part 2 concerns assurance that the organization is in fact ready to respond appropriately to information security incidents that may yet occur. It answers the rhetorical question “Are we ready to respond to an incident?”
Content: the standard encourages organizations to prepare themselves to respond more efficiently and effectively to information security incidents, for example layout out a scheme for categorizing incidents according to their types.
Status: working draft, new title. Comments on a recent WD were numerous but mostly straightforward.
ISO/IEC 27035-3: guidelines for incident response operations (draft)
Scope & purpose: part 3 will offer guidance on managing and responding efficiently to information security incidents, using some typical incident types to illustrate the approach. It will also cover the establishment, organization and operation of the Incident Response Team.
Content: the draft is a bit of a jumble at present as content is being broken out from the current version of ISO/IEC 27035 into the three new parts.
Status: working draft. Comments on the 2nd WD were numerous but mostly editorial and straightforward in nature.
I am not clear why the standard is being split into three bits. The separate parts are of little value as standalone standards, but only really make sense as parts of the whole. Furthermore, the parts do not even follow the five phase “model” (process) outlined above. The project team seems to be making a relatively straightforward process more complicated and confusing, for reasons that I don’t understand - one of the drawbacks of my being unable to attend recent SC 27 meetings.