ISO 27001:2022 Annex A Control 5.26: Response to Information Security Incidents

Managing information security incidents, events and weaknesses is at the forefront of control 5.26. Organisations should adhere to the guidelines of control 5.26 to maximise their ability to achieve fast, effective incident resolution. This includes ensuring both internal and external personnel are fully engaged with clear incident management processes and procedures.

What does control 5.26 include?

Under ISO 27001, it is the responsibility of the individual dealing with a security event to restore adequate security levels. Organisations with stakeholders and regulators to consider must assign owners, clarify actions, establish timescales and record information for audit.

Annex 5.26 covers these needs, stating that dedicated teams must handle each incident with the ‘required competency’ to make sure there is prompt and thorough resolution to any events or incidents.

The control highlights 10 main guidelines organisations must follow for proper incident management. These are:

1. Containing and mitigating any threats arising from the original event.
2. Collecting and corroborating evidence in the aftermath of an incident.
3. Setting out planned escalation, crisis management and business continuity.
4. Conducting a post-mortem analysis with accurate logging of all incident-related activity.
5. Communicating information security incidents on a strictly need-to-know basis.
6. Being mindful of an organisation’s responsibilities to external parties, such as clients, vendors, public bodies and regulators, when communicating the wider impact of an incident.
7. Meeting strict completion criteria before an incident is considered closed.
8. Performing forensic analysis as per ISO 27001:2022 Annex A control 5.28.
9. Identifying, recording and communicating the underlying cause of an incident.
10. Addressing the vulnerabilities that made the incident possible, including controls, policies and procedures.

What has changed since ISO 27001:2013?

Replacing ISO 27001:2013 Annex A Control 16.1.5, the 2022 version of the standard adds four new areas for organisations to consider. These are:

1. Containing and mitigating threats in the wake of the original event.
2. Establishing a crisis management and continuity of business escalation procedure.
3. Identifying the reasons for the incident and ensuring all relevant parties are informed of the details.
4. Identifying and modifying the process, control and policy changes that led to the original incident.