All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Response to information security incidents

Annex A control 5.26 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 16.1.5

Managing information security incidents, events and weaknesses is at the forefront of control 5.26. Organisations should adhere to the guidelines of control 5.26 to maximise their ability to achieve fast, effective incident resolution. This includes ensuring both internal and external personnel are fully engaged with clear incident management processes and procedures.

What does control 5.26 include?

Under ISO 27001, it is the responsibility of the individual dealing with a security event to restore adequate security levels. Organisations with stakeholders and regulators to consider must assign owners, clarify actions, establish timescales and record information for audit.

Annex 5.26 covers these needs, stating that dedicated teams must handle each incident with the ‘required competency’ to make sure there is prompt and thorough resolution to any events or incidents.

The control highlights 10 main guidelines organisations must follow for proper incident management. These are:

  1. Containing and mitigating any threats arising from the original event.
  2. Collecting and corroborating evidence in the aftermath of an incident.
  3. Setting out planned escalation, crisis management and business continuity.
  4. Conducting a post-mortem analysis with accurate logging of all incident-related activity.
  5. Communicating information security incidents on a strictly need-to-know basis.
  6. Being mindful of an organisation’s responsibilities to external parties, such as clients, vendors, public bodies and regulators, when communicating the wider impact of an incident.
  7. Meeting strict completion criteria before an incident is considered closed.
  8. Performing forensic analysis as per ISO 27001:2022 Annex A control 5.28.
  9. Identifying, recording and communicating the underlying cause of an incident.
  10. Addressing the vulnerabilities that made the incident possible, including controls, policies and procedures.

What has changed since ISO 27001:2013?

Replacing ISO 27001:2013 Annex A control 16.1.5, the 2022 version of the standard adds four new areas for organisations to consider. These are:

  1. Containing and mitigating threats in the wake of the original event.
  2. Establishing a crisis management and continuity of business escalation procedure.
  3. Identifying the reasons for the incident and ensuring all relevant parties are informed of the details.
  4. Identifying and modifying the process, control and policy changes that led to the original incident.