top of page

ISO/IEC 27035-3

ISO/IEC 27035-3:2020 — Information technology — Information security incident management — Part 3: Guidelines for ICT incident response operations

(first edition)

Abstract

ISO/IEC 27035 part 3 “gives guidelines for information security incident response in ICT security operations. [ISO/IEC 27035-3] does this by firstly covering the operational aspects in ICT security operations from a people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion ...” 


[Source: ISO/IEC 27035-3:2020]

Introduction

Part 3 concerns the 'security operations' elements in response to an IT incident. 

Scope

Part 3 concerns the organisation and processes necessary for the information security function to prepare for, and respond to, IT security events and incidents.

Structure

Main clauses:

  • 5: Overview

  • 6: Common types of attacks

  • 7: Incident detection operations

  • 8: Incident notification operations

  • 9: Incident triage operations

  • 10: Incident analysis operations

  • 11: Incident containment, eradication and recovery operations

  • 12: Incident reporting operations

  • Annex A: Example of the incident criteria based on information security events and incidents

Status

The current first edition of part 3 was published in 2020.


In 2025, the standard fell due for review by ISO/IEC JTC 1/SC 27 to decide whether it should be withdrawn, revised or retained as-is.  Watch this space.

Commentary

The standard primarily concerns the IT Department's responses to active, deliberate cyber-attacks such as major hacks or malware infections such as ransomware.  However, various other kinds of incident may require similar IT-related responses e.g.:

  • Failed software patches, installations, reconfigurations or other changes to systems, applications, networks, services, protocols etc.

  • Inappropriate and damaging automated activities by AI systems and agents, plus incidents relating to shadow-IT and shadow-AI (unauthorised arrangements outside IT Department's remit).

  • Hardware failures.

  • Business incidents or situations requiring urgent IT responses, such as takeover attempts or mergers.

  • Environmental disasters such as storms, floods, fires, plane crashes, wars, power cuts and telecomms outages.

  • Serious incidents involving the workforce such as pandemics, strikes or mass resignations.

  • Failures of other important security controls, including governance and management controls e.g. serious fraud or exec-level impropriety.

  • Supply chain incidents or those affecting related organisations e.g. other parts of a group structure or multinational enterprise.


Therefore, business continuity and resilience arrangements are inevitably linked to risk, incident and security management, as well as business management.  It's a complex and dynamic mesh of issues, only part of which is covered by this standard.


The standard’s title contains a commonplace but unexpanded abbreviation: ICT.  Plain old "IT" has included communications and networking for decades, so I'm not sure why anyone feels the need to insert the 'C'.

This page last updated:

22 February 2026

© 2026 IsecT Limited 

 

  • Link
  • LinkedIn
bottom of page