ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management
Information security controls are imperfect in various ways: controls can fail, work partially, or be completely missing (e.g. not implemented or not operational). Consequently, incidents are bound to happen since preventive controls are not totally reliable and effective.
Managing incidents effectively involves detective and corrective controls designed to minimize adverse impacts, gather forensic evidence (where applicable) and ‘learn the lessons’ in terms of prompting improvements to the ISMS, especially the implementation of more effective preventive controls.
Information security incidents commonly involve the exploitation of previously unrecognised and/or uncontrolled vulnerabilities, hence vulnerability management (e.g. applying relevant security patches to IT systems and addressing control weaknesses in procedures) is part preventive and part corrective action.
ISO/IEC 27035 covers the processes for handling information security incidents and vulnerabilities.
The standard lays out a process with 5 key stages:
Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents;
Identify and report information security incidents;
Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues;
Respond to incidents i.e. contain them, investigate them and resolve them;
Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.
The standard provides template reporting forms for information security events, incidents and vulnerabilities.
Status of the standard
Using ISO/IEC’s accelerated procedure, the first part of 27035 upgraded and replaced ISO TR 18044. It was published in 2011 and is available for CHF184 from the ISO/IEC webstore.
A project is under way to revise and extend ISO/IEC 27035, splitting it into three parts.
The possibility of introducing a fourth part to the standard concerning the categorization and classification of information security incidents has been discussed at length by the committee: it was resolved to progress the three-part structure, covering this issue in an annex to one of the parts.
ISO/IEC 27035-1: title unclear (draft)
Scope & purpose: part 1 will presumably introduce and outline the remaining two parts.
Status: unclear. Watch this space!
ISO/IEC 27035-2: guidelines for incident response readiness (draft)
Scope & purpose: part 2 concerns assurance that the organization is in fact ready to respond appropriately to information security incidents that may yet occur. It answers the rhetorical question “Are we ready to respond to an incident?”
Status: the 1st WD is available to SC27.
ISO/IEC 27035-3: guidelines for incident response operations (draft)
Scope & purpose: part 3 will offer guidance on managing and responding efficiently to information security incidents. It will also cover organization and operation of the Computer Security Incident Response Team.
Status: the 1st WD of 27035-3 is available to SC27.