When a security incident hits, the difference between a minor hiccup and a business-ending catastrophe often comes down to one thing: the quality of your response. ISO 27001 has always mandated that organizations react to incidents, but the transition from the 2013 version to the 2022 update has refined how we handle the “heat of the moment.” In the new standard, this is governed by Annex A 5.26: Response to information security incidents.
For those moving their ISMS (Information Security Management System) over to the new framework, Annex A 5.26 might look familiar, but there are several critical updates in terminology, structure, and expectations that you need to be aware of. Let’s dive into the evolution of incident response.
Table of contents
From A.16.1.5 to Annex A 5.26: A More Strategic Home
In the 2013 version of the standard, the actual act of responding to an incident was found under A.16.1.5 (Response to information security incidents). It was one of seven controls in the old “Incident Management” domain.
In the 2022 update, this has been reclassified as Annex A 5.26 and placed within the “Organisational Controls” theme. This structural shift is important because it highlights that response is not just a technical “firefighting” exercise for the IT team; it is an organisational capability that requires clear roles, pre-approved procedures, and management oversight. According to Hightable.io, this change emphasizes that the response must be “consistent and orderly,” moving away from the ad-hoc fixes that were sometimes tolerated under the older standard.
The Four New Pillars of Consideration
While the 2013 standard asked for a response, the 2022 version is much more specific about the components of that response. The implementation guidance for Annex A 5.26 now highlights four areas that were less prominent in the previous version:
- Containment and Mitigation: The 2022 version puts a stronger focus on the “immediate aftermath.” You are now explicitly required to have procedures to contain the threat (e.g., isolating an infected server) and mitigate its impact before moving to full recovery.
- Crisis Management and Continuity: There is a much tighter link between incident response and business continuity. Annex A 5.26 now expects a clear escalation path to your continuity or crisis teams if the incident exceeds a certain threshold.
- Root Cause Identification: In 2013, the focus was often on “getting back to normal.” The 2022 update expects you to identify the exact reason for the incident as part of the response process itself, rather than waiting for a separate post-mortem later.
- Process Modification: You are now required to identify and modify the specific internal processes, policies, or controls that failed and led to the incident. This turns every response into a mandatory cycle of improvement.
“Normal Security Level” vs. Resilience
A subtle but fascinating change in the 2022 update is the removal of the phrase “return to a normal security level.” In the 2013 version, the primary goal of the response was to restore things to how they were.
As noted by Hightable.io, the 2022 version (Annex A 5.26) shifts the focus toward resilience. The goal isn’t just to go back to “normal”, it’s to adapt. Because the threat landscape has changed so much since 2013 (with ransomware and sophisticated supply chain attacks), the standard now acknowledges that your “normal” might actually be what made you vulnerable in the first place.
What Auditors Are Looking For in the 2022 Version
If you are heading into a transition audit, the “evidence” required for Annex A 5.26 has become more focused on the lifecycle of the response. Auditors will be looking for proof of the following:
- Documented Procedures: You must have written playbooks for different types of incidents (e.g., malware, data leak, physical breach).
- The “Need to Know” Principle: Evidence that incident details were shared only with those required to resolve it, maintaining confidentiality even during the chaos of a response.
- Competent Personnel: Proof that the people responding to the incident have the “required competency.” This might include training records or certificates for your incident response team.
- Detailed Logs: A record of every action taken during the response. Hightable.io highlights that accurate logging is now a “must-have” to prove that your actions followed your documented procedures.
Practical Impact: Modernizing Your Playbooks
For organizations moving to the 2022 version, your main task for Annex A 5.26 is to move away from a single, generic “Incident Response Plan” toward specific playbooks.
Key areas to update in your documentation include:
- Detailed steps for containment (e.g., “Step 1: Disable compromised account, Step 2: Block IP at firewall”).
- A clear list of external parties that must be notified (regulators, clients, vendors) and the timelines for doing so.
- A formal process for “closing” an incident only after the root cause has been addressed and the lessons learned have been fed back into the ISMS.
Why This Update is a Step Forward
The transition from ISO 27001:2013 to the 2022 version of Annex A 5.26 reflects a more mature approach to cybersecurity. It acknowledges that incidents will happen and that a professional, disciplined response is your best defense. By formalizing the link between response, root cause analysis, and process change, the standard helps you build an organization that doesn’t just survive attacks but gets stronger because of them.
If you’re finding the transition from the old A.16.1.5 to the new Annex A 5.26 a bit daunting, utilizing the incident response templates and automated logging guides from Hightable.io can help you build a response capability that satisfies both auditors and the real-world demands of modern security.