Incident response and ISO 27035 Standard

The ISO 27035 standard gives us the guidelines on how to deal with Information Security Incident responses in digital systems.

First of all, what is an incident response ?

We can establish that an incident response is a planned approach that helps us addressing and managing the aftermath of a cyber attack, also called an Information Security Incident or security incident.

The goal is to organize phases that allows us to manage, minimize the damage and reduce costs by following a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.

The security policies don’t guarantee a complete protection of your systems and information, the incidents can always occur, and this is why having an organized plan to deal with incidents can have a significant impact on your business.

ISO 27035

1. The first part of ISO 27035 defines the concepts and the phases of an incident response and how to improve it’s manageability.

2. The second part of ISO 27035 defines how to plan and prepare the response to an incident.

ISO 27035 defines the following terms:

Information security investigation – Analysis and interpretation to aid understanding of the Information Security Incident.

Incident response team(IRT) – team of trusted members and with the right skills inside the organization that handles incidents during their lifecycle.

Information security event – occurrence indicating a possible breach of information security or failure of controls ( like using an Intrusion Detection System and getting an alarm that lets you know you are under attack )

Information security incident – one or multiple related information security events that can damage an organization’s assets or compromise its operations.

Information security incident management – it’s important to do consistent exercises of an effective approach that teaches your team how to handle an information security incident.

Incident handling – This is the true phase where we handle an incident by taking actions of detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents

Incident response – In this phase the actions taken are to mitigate or resolve an information security incident , including those taken to protect and restore the normality of an information system and the information stored in it.

Point of contact (POC) – A person or department that has a function or role serving as the coordinator of information concerning incident management activities.

Some of the objectives of ISO 27035 are :

• Identify the information security events and taking care of them by deciding when to classify them as security incidents. If a security incident is classified as such, then the yare evaluated and responded to in a proper and efficient manner.

• Guaranteeing business continuity and cyber security resilience.

• Learning from past incidents and improve your response for future incidents.

• Utilizing a structured approach.

• Improve the security by identifying and choosing how to act when we find ourselves in front of a Information security Event, or an Information security Incident.

• Reduce the negative impact on the business itself.

Phases of ISO 27035

Planning and preparation

In this phase we discuss about the policies of management of an Information security Incident, the creation of an IRT ( Incident Response Team) , briefing and teaching to evaluate their awarness. In this phase the organization is prepared to manage the incident from both a documentary and a procedural point of view.

Identification and documentation

This phase includes the collection of information from inside and outside, the monitoring of the network and systems, the identification of problems and the warnings in case of anomalies, and the documentation of information security events.

Evaluation and decision

Delegate responsibilities of managing the Information Security Incident, making sure that all parties create and provide the right documentation.


Determine whether the accident is under control, and resolve it by containing and eliminating.


Identify the lesson learned, identify areas that have room for improvement and evaluate the performance of the IRT.

Share this post