top of page

ISO27001:2022 - A5.26 Response to Information Security Incidents

Gary Hibberd

Updated: Aug 2, 2024



In ISO27001 there are several controls related to incident management, and each builds upon the last, and towards the next, so that you have a comprehensive approach to responding to incidents. The controls you should look closely at include;

 


 

 

What does the standard require?


The standard states that “Information security incidents shall be responded to in accordance with the documented procedures” (A5.26 - Response to information security incidents).

 

Why is this required?


We all know instinctively that people respond differently in the face of a crisis. When faced with an incident, like a system outage, or a data breach, we respond based on our previous knowledge, skill or experience.

 

There is an entire field of study in understanding how people react to crisis situations, but one thing most academics and experts agree with; Having prepared for a situation, and having a documented process helps people to respond more effectively and efficiently to adverse situations like a security incident.  

 

Having a documented procedure also ensures that incidents receive consistent responses. It means assumptions can be tested, and information provided so that everyone understands how to respond when faced with a security incident.

 

What the auditor is looking for


This is a relatively easy control to understand because the auditor is simply looking for a documented incident response plan that has been communicated to those that need it. This could include an Incident Response Plan, Business Continuity Plans and Disaster Recovery Plans.

 

Your plans should include some form of assessment of the incident (See A5.25), and outline actions to be taken during the incident (see A5.29).  You should also include details of how evidence will be collected, relevant to the incident (See A5.28).

 

What do you need to do?

You need to document an incident response plan, that will be followed by key members of your business during a security incident.  This sounds simple, but in fact it’s possibly one of the hardest things to do.

 

We see many plans, and the biggest mistake many of them make is to cram a lot of information and instructions into them.  But people will never use them in a crisis, and that's when they are needed the most.


If you are looking at a plan which is 30, 40 or 60 pages long, then it’s too long. Your aim for an incident response plan is 1 or 2 pages long.  Yes, that’s one or two pages long.

 

The incident response plan is aimed at senior people in your organisation. It should give them the questions to ask, so that they can build situational awareness. It should also give them key information about the business with clear instructions on what actions to take.

 

Providing all the detail of what your plan should contain is beyond this blog post, but one golden rule to keep in mind is; Keep It Simple. Even a list of key suppliers and key people in the business with their contact details is better than a long-winded document that people won’t be able to navigate in a crisis.

 

Once you have an Incident Response plan in place, you should then develop Business Continuity Plans for your business, which can be a little longer. These provide more detailed advice and information on how the business will continue, when faced with a security incident.  BCP’s typically are focused on functional recovery, such as what the HR function will do, or the marketing team. They are also typically focused on some form of scenario, such as ‘loss of system X’.

 

However we would suggest that you turn this on its head, and focus on the complete or partial loss of people, premises, or systems.  This approach focuses on the impact not the cause of an incident.  For example, if you plan for a loss of systems, it doesn’t matter if that loss was caused by a hacker, a cybercriminal, a mistake by a systems administrator, or because the room the server lives is flooded!

 

Your response to a situation should be based on the impact, not the cause and the actions you take can be directed to each function, so that they know what to do when this happens. This allows the business to continue, which is the whole point of a Business Continuity Plan.


 

Q & A


Do I have to document an incident response plan and a BCP separately?

No. It depends on the size and shape of your business. But we suggest that you keep your incident response plans and business continuity plans separately, if you can.  This is because, in our experience, senior leadership needs to know how to respond to a crisis situation – but they don’t like being told what to do! So give them a tool which arms them with the right questions to ask, so that they can make strategic decisions based on situational awareness.

 

We do feel that having a more detailed BCP is necessary for most organisations, so you should not forget about this.  But develop this separately and share it with the business.

 

Do we need to test our plans?

Yes, plans should be tested.  But this doesn’t have to be difficult.  A simple plan walk through with those who will use the plans is sufficient in the early adoption of the plans. Then, when you are feeling more confident, you can run a table-top exercise whereby you test the plans (and exercise the teams), using a specific scenario. For example you might bring together your incident response team and present a scenario whereby your business has been hit with a ransomware attack, and you ask “What do we do Day1? Day2? Day 3?” etc. 

 

Difficulty rating

We rate this a 3 out of 5 difficulty rating. This control requires little, if any, technical skills to put together, but it isn’t easy.  Anyone can write a lengthy document, but it will not be useful in a crisis situation, therefore this is harder than it first appears. When you first write your incident response and Business Continuity Plans, you may edging into 5 pages, 10 pages, even 15 pages long.  Your challenge is to cut this down by 50% on the first draft.

 

Don’t get us wrong; your auditor is not likely to give you a negative rating if your plan is 30 or 40 pages long, but we know your plan will not work when needed. Therefore if Consultants Like Us were auditing you, we would instantly give you an ‘OFI’ on this control.


More questions?



Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.

27 views
bottom of page