This rule is about responding to information security incidents, which means a company must have a system to respond to information security incidents and events.
Table of contents
What is ISO 27001 Annex A 5.26?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Response To Information Security Incidents”.
What is the ISO 27001 Annex A 5.26 control objective?
The formal definition and control objective in the standard is: “Information security incidents should be responded to in accordance with the documented procedures.“
What is the purpose of ISO 27001 Annex A 5.26?
The purpose of ISO 27001 Annex A 5.26 is “To ensure efficient and effective response to information security incidents.“
Is ISO 27001 Annex A 5.26 Mandatory?
ISO 27001 Annex A control 5.26 (Response To Information Security Incidents in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.26 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You can easily set up the rules for ISO 27001 Annex A 5.26. You will write down the steps and rules for handling security issues, and then you will share this plan with everyone who needs to know it.
You must name and record the people who will be on the response team. These team members must also have the right skills to do the work well.
What Your Response Plan Must Cover
Your plan for responding to security issues should include these steps:
- Stop the Spread: You must stop the problem from growing or getting worse.
- Gather Proof: You need to collect proof of what happened.
- Ask for Help: You need to decide when to call for more help, which might mean starting your full plan to keep the business running.
- Write It Down: You need to record all the actions you take so you can look at them later.
- Share the Rules: You need to tell people about the rules so they know what to do and what to expect.
- Teach Others: You should share what you learn with people who would be interested. This helps everyone improve and reduces future problems.
- End the Event: Once the issue is over, you need to formally close the event and record it.
- Find the Cause: You must figure out why the problem happened and then fix that main cause.
The Three Steps to Handling an Incident
The process for handling a security problem has three main parts:
- Finding It: You first need to find the security problem.
- Checking It: Next, you need to look at the problem and decide how important it is.
- Fixing It: Then, you need to fix the security problem.
If you want to read more about managing security events, look up the standard ISO/IEC 27035.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Your Documents Are Clear and Used
The auditor will review your written materials. You must show that you have clearly documented your roles, responsibilities, and processes. They will check that you have reviewed and approved these documents. Most importantly, your documents must show what you actually do, not just what you think the auditor wants to hear.
2. You Can Prove Your Process Works
The auditor will ask you to show evidence of your process, such as your incident response plan. They will pick one example of a past incident. For this chosen example, you will walk them through the steps and prove that you followed the process exactly. This shows them that your process works.
3. You Learn from Mistakes
The auditor will check that you document your lessons learned. You must also show how you used these lessons to make continual improvements or take corrective actions. They want to see that you did more than just respond to the problem; you learned from it and improved something. This change should have either reduced or completely stopped the chance of the same problem happening again.
