ISO/IEC 27035-4
ISO/IEC 27035-4:2024 — Information technology — Information security incident management — Part 4: Coordination
(first edition)
Abstract
ISO/IEC 27035 part 4 “provides guidelines for multiple organizations handling information security incidents in a coordinated manner. It also addresses the impacts of external cooperation on the internal incident management of an individual organization and provides guidelines for an individual organization to adapt to the coordination process. Furthermore, it provides guidelines for the coordination team, if it exists, to perform coordination activities supporting the cross-organization incident response. The principles given in [ISO/IEC 27035-4] are generic and are intended to be applicable to multiple organizations to work together to handle information security incidents, regardless of their types, sizes or nature. Organizations can adjust the guidance given in [ISO/IEC 27035-4] according to their type, sizes and nature of business in relation to the information security risk situation. [ISO/IEC 27035-4] is also applicable to an individual organization that participates in partner relationships.”
[Source: ISO/IEC 27035-4:2024]
Introduction
Whereas managing routine information security incidents typically involves several departments or teams within an organisation, exceptional/major incidents (such as botnet or phishing attacks) often require collaboration and coordination between the Incident Response Teams of several organisations, often in different countries. In addition to those diectly affected, Internet and cloud service providers, law enforcement and maybe the security services may be involved.
Scope
Part 4 is about coordinating responses to major incidents with other implicated, involved or support organisations, such as cloud and network suppliers.
Structure
Main clauses:
4: Overview
5: Coordinated incident management process
6: Guidelines for key activities of coordinated incident management
Annex A: Examples of information security incident management coordination
Status
The current first edition was published in 2024.
Commentary
Exercises are an excellent way to plan, practice, prove and improve the coordinated interactions required in an actual incident - from the ground floor operations through the specialist and management levels to the executives in the penthouse suite, among all the participants. Stress levels relating to the ongoing incident are obviously lower in a simulation compared to reality, but stresses relating to the processes being exercised may be higher due to their unfamiliarity: better to get a grip on them now than just wing-it in an actual crisis.
Modelling is another useful technique, perhaps using AI-enhanced "digital twins" to simulate the individuals, teams and organisations responding.
Finally, I'll point out that suppliers of cloud, Internet, forensics, insurance and other business services have more opportunities than most to gain competence and expertise in this area as they support multiple clients through various crises, learning by doing. That's potentially a valuable and hence marketable commercial advantage.