ISO 27001:2022 Annex A Control 5.24: Information Security Incident Management Planning and Preparation

Control 5.24 describes how information security incidents, events and weaknesses should be managed, highlighting the importance of preparation and planning. It outlines the need for efficient processes, describing how staff should respond to incidents based on their roles.

Constructive communication and professionalism are key to an effective incident response. Annex A 5.24 acts as a corrective control that maintains risk by setting out a common list of Incident Management procedures to mitigate any damage caused by information security events.

Roles and responsibilities

Staff are expected to work together to resolve incidents, and Annex 5.24 offers five core guidance points to help teams do just that. In order to create an efficient and cohesive incident management operation, organisations should:

1. Establish and document a clear method for reporting information security events, outlining a main point of contact for all such events.
2. Create a series of IM processes to manage information security incidents, focusing on administration, documentation, detection, triage, prioritisation, analysis and communication.
3. Develop an incident response procedure that allows the organisation to respond to incidents effectively. This should encourage learning from incidents once they have been resolved to mitigate recurrence.
4. Limit responsibility to trained and competent personnel. They should have full access to procedural documentation and undertake refresher training regularly.
5. Identify the training needs of all staff involved in incident response. This should include any vendor-specific or professional certifications.

Incident management

The key objective of any incident management process within an organisation is to ensure that those responsible for resolving information security incidents have all the information and training they need to navigate the event. Staff should have a firm understanding of three main areas, which are the time it takes to resolve an incident, the severity of the incident and any potential consequences.

Processes should work harmoniously to ensure that these priorities are met. Control 5.24 highlights 8 activities that should be addressed when trying to resolve incidents. These are:

1. IS events should be assessed in accordance with strict criteria to validate their severity.
2. IS events should be managed in line with 5 key criteria: monitoring, detection, classification, analysis and reporting.
3. Organisations should implement procedures to ensure IS incidents are concluded successfully. These procedures are:
   a. Response and escalation
   b. Activation of business continuity plans
   c. Managed recovery that mitigates operational and financial damage
   d. Internal and external parties receive thorough communication of incident-related events
4. Working collaboratively with internal and external personnel.
5. Logging all incident activities in a thorough, accessible and transparent way.
6. Evidence should be handled responsibly in line with external and internal guidelines and regulations.
7. Once the incident has been resolved, a thorough review procedure and root cause analysis should take place.
8. Recording required improvements to prevent an incident from occurring.

Reporting

An essential element of incident management is reporting. This ensures that information is accurately disseminated throughout an organisation. Reporting should focus on 4 main areas:

1. Actions that should be taken once an information security event occurs.
2. Incident forms that allow for the clear and concise recording of information, supporting personnel as they carry out their duties.
3. Feedback processes to make sure personnel are made aware of IS event outcomes, once the incident has been resolved.
4. Incident reports should document all relevant information on an incident.

How has it changed since ISO 27001:2013?

Replacing ISO 27001:2013 Annex A control 16.1.1, the new control 5.24 acknowledges that organisations must undergo stringent preparations to be resilient and compliant against incidents.

The newer control includes a comprehensive breakdown of the steps organisations should take to delegate roles, manage incidents, and report outcomes.