ISO/IEC 27035:2016+ – Information technology – Security techniques – Information security incident management (published parts 1 – 3, draft part 4)
The information security controls are imperfect in several ways: they can be undermined or overwhelmed (by skilled hackers, fraudsters, or malicious software), fail to function as expected (e.g. slow anomaly detection), perform partially or poorly, or be missing entirely (i.e. not yet fully in place, not yet fully functional, or never conceived due to shortcomings in risk identification and analysis). So even in organizations that take information security very seriously, information security incidents are bound to occur to some extent.
As part of an incident management system, detective and corrective controls are built to identify, respond, minimize adverse impacts, gather forensic evidence (where applicable), and in due course improve the ISMS, most often by improving the preventive controls or other risk management measures.
Many information security incidents result from exploiting previously unknown or uncontrolled vulnerabilities, therefore vulnerability management (for example, patching of IT systems and making sure operations and management policies are tightly controlled) serves both preventative and corrective purposes.
Scope and objectives
Among the topics covered by the standard are the processes for managing security incidents, security events, and vulnerabilities.
In the standard, the information security incident management section of ISO/IEC 27002 is expanded. It provides cross-references for that section and explains its relationship to ISO 27k eForensics standards.
Structure and content
There are five key stages outlined in the standard:
1. Prepare to respond to incidents, such as preparing a policy for incident management and creating a team that can handle incidents;
2. Identify and report incidents related to information security;
3. Assess incidents and decide how to address them, for example, patching things up and getting back to business quickly, or gathering forensic evidence even if this is time-consuming;
4. Handle incidents by containing them, investigating them, and resolving them;
5. Make improvements to the processes – this is more than simply identifying the things that could have been done better.
Templates are provided for reporting incidents, events, and vulnerabilities associated with information security.
Note: There are differences in how some terms are defined between the ISO/IEC 27000 and 27035 standards, so make sure you check the definitions carefully.
The standard’s status
ISO TR 18044 was replaced by ISO/IEC 27035. The initial publication was in 2011 as one standard, then it was revised and separated into three and then four parts.
ISO/IEC 27035-1:2016 – Information security incident management — Part 1: Incident management principles
Objectives: Part 1 introduces the concepts and principles underpinning the information security incident management standard and the upcoming parts. A five-phase incident management process is described, along with recommendations for improving incident management.
Content: The incident management process is outlined in five phases closely related to those described in ISO/IEC 27035:2011:
1. Plan and prepare: Set up a policy for handling information security incidents, convene an incident response team, etc.
2. Detection and reporting: Identifying and reporting “events” that might become incidents;
3. Assessment and decision: The situation must be assessed to determine whether it is an incident;
4. Responses: contain the incident, eliminate it, recover from it, analyze it forensically;
5. Lessons learnt: Improve an organization’s capability to manage information risks after incidents occur.
The annexes provide examples of information security incidents and cross-references to the eForensics and ISO/IEC 27001 standards.
Status: The first part was published in 2016.
To keep up with ISO/IEC 27002, Part 1 is now being revised.
In the current state of revision, the new title is: “Information technology – Information security incident management – Part 1: Principles and process”. A mid-2023 publication date has been set.
ISO/IEC 27035-2:2016 — Information security incident management — Part 2: Implementation guidelines to plan and prepare for incident response
Scope & purpose: The objective is to assess whether the organization is adequately prepared to handle any potential information security incidents that may arise. It asks the rhetorical question “Are we prepared for an incident?” and encourages continuous improvement based on learning from incidents. It covers the Plan, Prepare, and Lessons Learned phases of the process described in part 1 – the beginning and the end.
Content: Following the usual preamble sections, we have eight main clauses:
1. Establishing a policy for managing information security incidents
2. Keeping information security policies and procedures up to date
3. Developing a plan to manage information security incidents
4. Creating an Incident Response Team [i.e. CERT, CSIRT etc.]
5. Defining technical support and other services
6. Creating awareness and training for information security incidents
Developing an information security incident management plan and testing it (or rather exercising it)
… as well as annexes with incident identification examples and a section on legal issues (mostly privacy-related).
Status: Part 2 of this standard was published in 2016.
As part of the ongoing revision of ISO/IEC 27002, Part 2 is being revised. Currently, the revision is at the 2nd Committee Draft stage, under the title: “Information technology – Information security incident management – Part 2: Guidelines to plan and prepare for incident response”. Mid-2023 is the expected publication date.
There will be a new section on “Establishing internal and external relationships”.
ISO/IEC 27035-3:2020 — Information security incident management — Part 3: Guidelines for ICT incident response operations
Scope & purpose: This part examines ‘security operations’, namely the organizational and operational processes required by information security functions to prepare for and respond to ICT security incidents and events – in most instances, attacks that are actively planned and purposeful.
Here are some of the highlights (in part):
“This document provides the guidelines for ICT incident response operations. This document is not concerned with non-ICT incident response operations such as loss of paper-based documents. The guidelines are based on the “Detection and Reporting” stage, the ”Assessment and Decision” phase and the ”Responses” stage of the ”Information security incident management phases” structure as outlined in ISO/IEC 27035-1:2016.”
Content: A step-by-step analysis of the core parts of an incident response process, such as notification, detection, analysis, containment, removal, and recovery.
Status: Part 3 was released in 2020.
ISO/IEC 27035-4 — Information security incident management — Part 4: Coordination (draft)
Scope & purpose: In managing major incidents, several organizations are affected or personally involved. It is, therefore, necessary to coordinate response among the Incident Response Teams.
Content: In this standard, the concept of Coordinated Incident Management is described and its application analyzed throughout the full incident life cycle – from the planning stage to the lessons learned phase – in collaboration with ‘communities’ (like supply chains or networks) that share a common interest.
Status: Part 4 was initiated in 2020, and the first working draft is complete. It is set for publication in 2024.
Despite the name, the ISO/IEC 27035 standards specifically address incidents affecting IT systems and networks, although they also apply to other types of information, including documents, knowledge, intellectual property, and trade secrets. However, in my opinion (at least for now), the language is primarily IT-related. This, to me, is yet another missed opportunity: ISO27k covers more than just IT/Cybersecurity. In situations where IT elements are incidental to a business, how are organizations deal with fraud and piracy?
In the incident management process, the ISO27k standard would benefit from an explicit description of how information risks are handled. Since every single incident cannot be detected and responded to, a portion of risk cannot be avoided (e.g. low-level attacks that go unnoticed, hacks and malware attacks that deliberately evade or neutralize detection and prevention measures), while others might be shared with third parties (e.g. business partners and insurance companies) or prevented (by increasing prevention controls, for example). I believe that this standard should also be integrated with ISO 22301, for example, as responding to a major incident may involve implementing business continuity arrangements.