ISO 27001 Annex: A.16.1.5 Response to Information Security Incidents, A.16.1.6 Learning from Information Security Incidents & A.16.1.7 Collection of Evidence

This article explains ISO 27001 Annex: A.16.1.5 Response to Information Security Incidents, A.16.1.6 Learning from Information Security Incidents & A.16.1.7 Collection of Evidence as part of this policy.

A.16.1.5 Response to Information Security Incidents


Keeping the documented procedures in mind, information security incidents should be resolved.

Implementation Guidance

Organizations and external parties should have a designated point of contact who can respond to incidents of information security.

Responses should include:

– Collecting evidence as soon as possible following an incident;
– Analyze information on forensic security when necessary;
– Escalation where appropriate;
– Document all activities relating to the response in an adequate manner for subsequent analysis;
– Notify other internal or external entities or organizations of every information security incident that occurs or any details related to it;
– Addressing the vulnerabilities that led to the incident or compromised information security;
– Closure and recording of the incident until it is effectively closed.

If appropriate, an investigation should be conducted after the incident to determine what caused the accident.

Other information

The first step in responding to an incident is restoring the daily security level, followed by starting the recovery process.

A.16.1.6 Learning from Information Security Incidents


To reduce the risk of potential accidents, it is recommended to use the experience gained from analyzing and mitigating information security incidents.

Implementation Guidance

Measuring, tracking, and analyzing the forms, quantities, and costs of events related to information security will be a part of the Security Program. The information obtained from the assessment of information security events should be used to determine the recurring or high impact events.

Other Information

To minimize the likelihood, harm, and costs of accidents, or to take into account the security policy analysis process, assess information security accidents that may demand improved or additional controls (see 5.1.2).

With due consideration for confidentiality, real-world data may be used in user awareness training with real-world examples (see 7.2.2) to demonstrate how such events can be handled and how they can be prevented.

A.16.1.7 Collection of Evidence


Information will be obtained, procured and maintained as documentation by the organization, and procedures will be implemented.

Implementation Guidance

External protocols should be established and followed for the treatment of evidence in administrative and legal proceedings.

As a general rule, proof gathering, acquisition, and preservation should conform to various media types, technologies, and device specifications, e.g. based on or off.

Several factors will be considered in the procedure:

– Chain of custody;
– Security evidence
– Security of personnel;
– Roles and responsibilities of the staff;
– Competency of employees;
– Reporting and documentation;
– An overview.

To make sure that the evidence retained is credible, any credentials, such as certification, should be sought where possible.

Forensic evidence frequently extends beyond the scope of associations or jurisdictions. Forensic proof must be allowed to be collected as soon as possible in such cases by the organization. The criteria of the various jurisdictions should also be taken into consideration to optimize admission opportunities across the qualified jurisdictions.

Other Information

For the detection and recording of possible evidence, identification is required. The collection process is the process of gathering physical objects containing possible evidence. An acquisition procedure involves creating a copy of data in a package. Preservation is the process of preserving probable evidence.

Unless an information security issue is identified first, it may not be clear whether or not the incident would result in legal action. Consequently, the proof of the incident can be lost intentionally or inadvertently before the seriousness of it becomes apparent. If legal proceedings are to be taken, or should guidance be sought on the facts, then a lawyer or the police should be consulted at an early age.

ISO / IEC 27037 provides recommendations for identifying, collecting, acquiring, and preserving digital evidence.

Related Questions

1. Definition of ISO 27001 Annex: A.16.1.5 Response to Information Security Incidents
2. How would you describe a security incident?
3. What are the 114 control measures of ISO 27001?
4. What is ISO 27001 Annex: A.16.1.5 Response to Information Security Incidents?
5. What are the controls in ISO 27001?

About Author /

Start typing and press Enter to search