Incident Response and ISO 27035 Standard
Introduction to Incident Response
The ISO 27035 standard provides guidelines on how to effectively manage Information Security Incident responses in digital systems.
Incident response is a planned approach to addressing and managing the aftermath of a cyber attack, also known as an Information Security Incident or security incident. Its goal is to organize phases that allow for the management, minimization of damage, and reduction of costs by following a structured approach to detecting, reporting, assessing, and responding to incidents, while applying lessons learned.
Despite having security policies in place, incidents can still occur. Thus, having an organized plan to handle incidents can significantly impact your business.
ISO 27035 Overview
-
Part 1: Concepts and Incident Response Phases
The first part defines the concepts and phases of incident response, emphasizing how to enhance manageability.
-
Part 2: Planning and Preparation
This part outlines how to plan and prepare the response to an incident.
Key Definitions in ISO 27035
| Term | Description |
|---|---|
| Information Security Investigation | Analysis and interpretation to aid understanding of an Information Security Incident. |
| Incident Response Team (IRT) | Team within an organization that handles incidents throughout their lifecycle. |
| Information Security Event | Occurrence indicating a possible breach or failure of controls. |
| Information Security Incident | One or more related events that can damage an organization’s assets or operations. |
| Incident Handling | Actions taken to detect, assess, respond to, and learn from Information Security Incidents. |
| Incident Response | Actions taken to mitigate or resolve an Information Security Incident and restore normal operations. |
| Point of Contact (POC) | Person or department coordinating incident management activities. |
Objectives of ISO 27035
- Identify information security events and classify them as incidents when necessary.
- Ensure business continuity and cyber security resilience.
- Learn from past incidents to improve future responses.
- Utilize a structured approach to incident management.
- Enhance security by identifying and acting on information security events or incidents.
- Minimize negative impacts on the business.
Phases of ISO 27035
-
Planning and Preparation
Includes creating incident management policies, forming an Incident Response Team (IRT), and educating team members to improve awareness.
-
Identification and Documentation
Involves collecting information, monitoring networks and systems, identifying issues, and documenting security events.
-
Evaluation and Decision
Delegates responsibilities for managing the incident and ensures appropriate documentation.
-
Response
Determines if the incident is contained and resolves it by taking appropriate actions.
-
Learning
Reviews lessons learned, identifies areas for improvement, and evaluates the performance of the Incident Response Team.
Conclusion
ISO 27035 provides a structured framework for effective incident response management, helping organizations mitigate the impact of security incidents and improve their overall cyber resilience. By following the guidelines and phases outlined in ISO 27035, organizations can better protect their assets and maintain business continuity in the face of evolving cyber threats.