All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Learning from information security incidents

Annex A control 5.27 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 16.1.6

Control 5.27 establishes incident management as an ongoing and organic process. Learning from information security incidents and events is crucial to making better decisions going forward, both in technical and non-technical situations.

In line with control 5.27, organisations must demonstrate how the knowledge gained by analysing and resolving security incidents will help to reduce the likelihood of such an event taking place again in the future.

Information security policy must be informed by the lessons learned from past events, showcasing a clear commitment to continuous service improvement. Organisations should adapt their ISMS to meet changing business landscapes and accommodate any learnings from previous events and incidents.

What does Annex 5.27 include?

Control 5.27 aims to minimise the likelihood of recurring information security incidents and events within an organisation. It advocates for the application of lessons learned to help mitigate the risk of future internal and external issues.

The control recommends that incidents be placed in review and learning status following their resolution, allowing the lead responder to talk through any policy and procedure changes that need to be made.

Further discussed of any relevant recommendations should be carried out by the ISMS board or security team, and once the review and learning process has completed, the cycle of information security awareness and education must continue. This process includes updating security policies, and notifying and retraining the relevant staff members.

Understanding control 5.27

Incident management policies put in place by an organisation should categories and monitor three main elements of information security incidents, these being type, volume, and cost. These elements should be monitored across an incident response’s entire operation in compliance with ISO 27001:2022.

Upon the resolution of an incident, it should be thoroughly analysed. Control 5.27 says that this analysis should be used to inform procedures that achieve key criteria. These are:

  1. The development of a holistic incident management framework that includes projected scenarios and the procedures associated with them.
  2. The improvement of the organisation’s IS risk assessment processes and procedures, in order to improve all incident categories’ resilience.
  3. The inclusion of real-world examples to enhance user awareness. This should include discussing how to respond, avoid, and resolve previous incidents.

How have things changed since ISO 27001:2013?

Replacing ISO 27001:2013 Annex A control 16.1.6, 2022’s control 5.27 is largely based on the same principles and features the same guidance about recording data on information security incidents of varying volumes, costs, and types.

However, while 2013’s control 16.1.6 focused largely on the goal of improving so-called high impact incidents, this is not the focus of the more recent control. Control 5.27 is concerned with information security incidents of all kinds, size and severity.