Incident response and ISO 27035 Standard

Incident Response and ISO 27035 Standard

Incident Response and ISO 27035 Standard

Introduction to Incident Response

The ISO 27035 standard provides guidelines on how to effectively manage Information Security Incident responses in digital systems.

Incident response is a planned approach to addressing and managing the aftermath of a cyber attack, also known as an Information Security Incident or security incident. Its goal is to organize phases that allow for the management, minimization of damage, and reduction of costs by following a structured approach to detecting, reporting, assessing, and responding to incidents, while applying lessons learned.

Despite having security policies in place, incidents can still occur. Thus, having an organized plan to handle incidents can significantly impact your business.

ISO 27035 Overview

  1. Part 1: Concepts and Incident Response Phases

    The first part defines the concepts and phases of incident response, emphasizing how to enhance manageability.

  2. Part 2: Planning and Preparation

    This part outlines how to plan and prepare the response to an incident.

Key Definitions in ISO 27035

Term Description
Information Security Investigation Analysis and interpretation to aid understanding of an Information Security Incident.
Incident Response Team (IRT) Team within an organization that handles incidents throughout their lifecycle.
Information Security Event Occurrence indicating a possible breach or failure of controls.
Information Security Incident One or more related events that can damage an organization’s assets or operations.
Incident Handling Actions taken to detect, assess, respond to, and learn from Information Security Incidents.
Incident Response Actions taken to mitigate or resolve an Information Security Incident and restore normal operations.
Point of Contact (POC) Person or department coordinating incident management activities.

Objectives of ISO 27035

  • Identify information security events and classify them as incidents when necessary.
  • Ensure business continuity and cyber security resilience.
  • Learn from past incidents to improve future responses.
  • Utilize a structured approach to incident management.
  • Enhance security by identifying and acting on information security events or incidents.
  • Minimize negative impacts on the business.

Phases of ISO 27035

  1. Planning and Preparation

    Includes creating incident management policies, forming an Incident Response Team (IRT), and educating team members to improve awareness.

  2. Identification and Documentation

    Involves collecting information, monitoring networks and systems, identifying issues, and documenting security events.

  3. Evaluation and Decision

    Delegates responsibilities for managing the incident and ensures appropriate documentation.

  4. Response

    Determines if the incident is contained and resolves it by taking appropriate actions.

  5. Learning

    Reviews lessons learned, identifies areas for improvement, and evaluates the performance of the Incident Response Team.


ISO 27035 provides a structured framework for effective incident response management, helping organizations mitigate the impact of security incidents and improve their overall cyber resilience. By following the guidelines and phases outlined in ISO 27035, organizations can better protect their assets and maintain business continuity in the face of evolving cyber threats.

Share this post