A key part of any management system is the capturing of incidents and improvements.
ISO 27001 is no different.
Any time you have an incident it is like finding gold. An incident gives you an indication that you have a weakness in your management system. An incident shows your where your weaknesses are. It can show you where your vulnerabilities are.
The objective of this clause of the annex A is to ensure your organisation has a consistent and effective approach to the management of information security incidents. This includes the communication of security events and weaknesses.
The clause breaks the requirements into 7 areas for you to manage:
You need to establish management responsibilities and procedures to ensure a quick, effective and orderly response to information security incidents.
Here at Mango we updated our procedures, job descriptions and provided training for Management to ensure they have a “quick, effective and orderly response to information security incidents”.
In ISO 2700 the definition of an information security events is “identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant”.
So those events need to be reported through appropriate management channels as quickly as possible.
Events aren’t incidents. So you need to treat them cautiously as in time they may become an incident.
For example here at Mango CERT NZ sends out alerts about know security issues. Mango’s Security Information Officer then notifies staff of these events and logs then in Mango as an Information Security Event.
For this clause your employees and contractors are required to note and report any observed or suspected information security weaknesses in systems or services.
As hackers and malware are becoming more and more cunning your employees and contractors need to be alert at all times to strange behaviour or weaknesses. Anything suspicious needs to be reported even if there is no issue.
Here at Mango we talk about this monthly at our all company Management Review meeting. We discuss each information security event and look for patterns and the like.
When you have an information security event then you need to assess it and decide if they are to be classified as information security incidents.
Here at Mango the Information Security Officer, in discussion with other technical advisors decides if an event becomes an incident.
In ISO 2700 the definition of an information security incident is “single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”.
When you have an information security incidents you need to respond to it in accordance with your documented procedures.
Here at Mango we have a document procedure for information security incidents.
The procedure is straight forward. Here it is here:
Your knowledge gained from analysing and resolving information security incidents needs to be used to reduce the likelihood or impact of future incidents.
Here at Mango we discuss each incident in the all staff Management Review meeting. The root causes and the knowledge gained is discussed and debated with all the staff.
When you are capturing information security events and incidents you need to define and apply procedures for the identification, collection, acquisition and preservation of information, which can all serve as evidence.
Here at Mango the Mango application captures all this evidence for us.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10
Part 30 - ISO 27001 Information Security Management Standard: Clause A11
Part 31 - ISO 27001 Information Security Management Standard: Clause A12
Part 32 - ISO 27001 Information Security Management Standard: Clause A13
Part 33 - ISO 27001 Information Security Management Standard: Clause A14
Part 34 - ISO 27001 Information Security Management Standard: Clause A15