Skip to main content
Mar 27, 2019 Craig Thornton

ISO 27001 Information Security Management Standard - Clause A.16

Part 35 - A16 Information Security Incident Management 

A key part of any management system is the capturing of incidents and improvements.

ISO 27001 is no different.

Any time you have an incident it is like finding gold. An incident gives you an indication that you have a weakness in your management system. An incident shows your where your weaknesses are. It can show you where your vulnerabilities are.

The objective of this clause of the annex A is to ensure your organisation has a consistent and effective approach to the management of information security incidents.  This includes the communication of security events and weaknesses.

The clause breaks the requirements into 7 areas for you to manage:

  1. Responsibilities and procedures.
  2. Reporting information security events
  3. Reporting information security weaknesses
  4. Assessment of and decision on information security events
  5. Response to information security incidents
  6. Learning from information security incidents
  7. Collection of evidence

Information-security-Incident-management

 

A.16.1.1 Responsibilities and procedures

You need to establish management responsibilities and procedures to ensure a quick, effective and orderly response to information security incidents.

Here at Mango we updated our procedures, job descriptions and provided training for Management to ensure they have a “quick, effective and orderly response to information security incidents”.

 

A.16.1.2 Reporting Information Security Events

In ISO 2700 the definition of an information security events is “identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant”.

So those events need to be reported through appropriate management channels as quickly as possible.

Events aren’t incidents.  So you need to treat them cautiously as in time they may become an incident.

For example here at Mango CERT NZ sends out alerts about know security issues.  Mango’s Security Information Officer then notifies staff of these events and logs then in Mango as an Information Security Event.

 

A.16.1.3 Reporting Information Security Weaknesses 

For this clause your employees and contractors are required to note and report any observed or suspected information security weaknesses in systems or services.

As hackers and malware are becoming more and more cunning your employees and contractors need to be alert at all times to strange behaviour or weaknesses.  Anything suspicious needs to be reported even if there is no issue. 

Here at Mango we talk about this monthly at our all company Management Review meeting.  We discuss each information security event and look for patterns and the like.

 

A.16.1.4 Assessment of and Decision on Information Security Events

When you have an information security event then you need to assess it and decide if they are to be classified as information security incidents.

Here at Mango the Information Security Officer, in discussion with other technical advisors decides if an event becomes an incident.

 

A.16.1.5 Response to Information Security Incidents

In ISO 2700 the definition of an information security incident is “single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”.

When you have an information security incidents you need to respond to it in accordance with your documented procedures.

Here at Mango we have a document procedure for information security incidents.

The procedure is straight forward.  Here it is here:

  1. All information security issues are to be reported and managed through the Improvement module in Mango.
  2. This includes suspected security weaknesses in systems or services.
  3. The Improvements module will manage the communication to relevant employees and managers
  4. Information security events will be assessed to identify whether they are classified as Information Security Incidents.
  5. All evidence relating to the investigation will be captured in the Improvement record

 

A.16.1.6

Your knowledge gained from analysing and resolving information security incidents needs to be used to reduce the likelihood or impact of future incidents.

Here at Mango we discuss each incident in the all staff Management Review meeting.  The root causes and the knowledge gained is discussed and debated with all the staff.

 

A.16.1.7

When you are capturing information security events and incidents you need to define and apply procedures for the identification, collection, acquisition and preservation of information, which can all serve as evidence.

Here at Mango the Mango application captures all this evidence for us.

 

Takeaways

  1. Define responsibilities and procedures to all employees and contractors.
  2. Report your information security events
  3. Report your information security weaknesses
  4. Assess and decide if information security events become incidents
  5. Report and respond to your information security incidents
  6. Learning from information security incidents
  7. Collect the evidence of events and incidents.


View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8

Part 28 - ISO 27001 Information Security Management Standard: Clause A9

Part 29 - ISO 27001 Information Security Management Standard: Clause A10

Part 30 - ISO 27001 Information Security Management Standard: Clause A11

Part 31 - ISO 27001 Information Security Management Standard: Clause A12 

Part 32 - ISO 27001 Information Security Management Standard: Clause A13

Part 33 - ISO 27001 Information Security Management Standard: Clause A14

Part 34 - ISO 27001 Information Security Management Standard: Clause A15

Published by Craig Thornton March 27, 2019