ISO 27001:2022 Annex A Control 5.25: Assessment and Decision on Information Security Events

Control 5.25 focuses on the way organisations identify and categorise information security incidents. It gives clear guidance on prioritisation and how these events are handled by the relevant parties.

By helping organisations to identify and prioritise information security incidents based on event-specific variables, Annex 5.25 acts as a detective control that maintains risk.

What does Annex 5.25 include?

Control 5.25 aims to help organisations with a broad operational scope, rather than specific guidance points. Through this method, it presents an approach for effective information security incident management on a holistic scale.

The control outlines that organisations should develop an accepted categorisation scheme to differentiate between IS incidents and IS events. There should a point of contact who is responsible for IS event categorisation.

Technical personnel should be involved in the assessment process, in order to ensure that the necessary skills and tools to analyse and resolve incidents are at hand. Deciding on whether to escalate an event to an incident should be a collaborative decision.

Organisations should record conversations, assessments and categorisations so that future information security incident decisions can be made with all relevant information to hand, building a more robust risk security over time.

What’s changed since ISO 27001:2013?

Replacing ISO 27001:2013 Annex A control 16.1.4, the 2022 control adheres to the same operational principles but includes one key deviation. While in the older control, an information security incident response team (ISIRT) is described as being involved in categorisation and escalation, control 5.25 makes reference to any staff members involved in analysing and resolving security incidents.

Control 5.25 also puts greater emphasis on categorising events appropriately before escalation.