This rule is about information security incident management, which means a company must have a system and people to handle the information security incidents.
Table of contents
What is ISO 27001 Annex A 5.24?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security Incident Management Planning and Preparation”.
What is the ISO 27001 Annex A 5.24 control objective?
The formal definition and control objective in the standard is: “The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.“
What is the purpose of ISO 27001 Annex A 5.24?
The purpose of ISO 27001 Annex A 5.24 is “To ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events.”
Is ISO 27001 Annex A 5.24 Mandatory?
ISO 27001 Annex A control 5.24 (Information Security Incident Management Planning and Preparation in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.24 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Your Roles and Responsibilities
You need to figure out the roles and responsibilities for the incident management steps and rules you will write and use. Once set, you must tell everyone what these roles are.
You should regularly share how people can report a security problem and who is in charge of security. A good frequency is about every three months. If your team or company is complex, you may need to send extra, focused messages to certain groups.
You should aim to have one simple way for everyone to report security issues and know who to contact.
Handling Security Incidents
The steps for managing incidents will cover many actions, including:
- How you write down the process.
- How you spot problems.
- How you decide which problems are more important (prioritizing).
- How you sort and quickly handle them (triage).
- How you study and understand them (analysis).
- Who you tell and how you tell them (communication).
- How you organize all the people involved (coordination).
The ISO standard correctly asks you to be able to look at, respond to, and learn from security problems. You will not get everything right every time; incidents will happen. You just need to plan, be ready, and respond well, and you will be fine.
Competent Personnel
You must ensure that only qualified people handle these security issues. These people are usually experts or have had training in the field. You will share the process documents with them and give them regular security training.
As an extra step, the standard asks you to plan the training, certifications, and ongoing learning needed for your incident response team. A good way to track this is with a competency list.
Incident Management Rules
The incident rules and steps you write will have priorities and service agreements. These must be set with your managers based on agreed-upon goals for handling security incidents. You should create clear priority levels, define what each level means, and set the expected time to fix a problem at that level.
Your incident plan must consider different types of problems that could happen.
Here are the main actions that need written rules and steps:
- Evaluation: Checking problems to see if they are security incidents.
- Monitoring: Using people and tools to find, group, study, and report problems.
- Managing: Taking action on problems, asking for help, and knowing when to start wider crisis or business plans.
- Coordinating: Working with all people and groups, both inside and outside the company.
- Logging: Keeping a record of problems and all actions taken.
- Handling Evidence: Taking care of proof, especially if you need expert help for legal issues.
- Root Cause Analysis: Finding the true, main reason why the problem happened.
- Lessons Learned: Using what you learned to make things better, helping prevent the problem from happening again.
Reporting Procedures
You need a good way to report on incidents and decide what kinds of reports you will make.
You must include instructions on how to report a problem, how to use report forms, and how to create final incident reports.
You must also consider external reporting rules and deadlines. For example, you must report data breaches under GDPR to the proper official body within the required time.
If you want to read more about security incident management, the useful standard is ISO/IEC 27035.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Documented Roles and Rules
You must show the auditor your written plans, job duties, and steps for doing work. The auditor will check that you have reviewed and signed these papers. They want to be sure these documents show what you really do, not just what you think sounds good.
2. Proof That Your Process Works
You need to prove that your process works by showing them an example. For instance, the auditor might pick one past event from your incident management records. For that one example, you will need to walk them through the whole process. You must show them proof that you followed your own rules and that the process finished correctly.
3. Learning From Mistakes
The auditor will check to see if you write down what you learned after an event. They will look at how you use those lessons to make things better. The goal is to see that you not only fixed the immediate problem but that you learned from it. You must show that you made a change to reduce or stop the same issue from happening again.
