This rule is about learning from information security incidents so that they do not happen again and so that information security is improved.
Table of contents
What is ISO 27001 Annex A 5.27?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Learning From Information Security Incidents”.
What is the ISO 27001 Annex A 5.27 control objective?
The formal definition and control objective in the standard is: “Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.“
What is the purpose of ISO 27001 Annex A 5.27?
The purpose of ISO 27001 Annex A 5.27 is “To ensure the reduction in the likelihood or consequences of future incidents.“
Is ISO 27001 Annex A 5.27 Mandatory?
ISO 27001 Annex A control 5.27 (Learning From Information Security Incidents in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.27 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
A security incident is an event that might harm the secrecy, accuracy, or availability of your information. The results of a problem change based on what happened, which systems were involved, and how your team reacted.
As part of your plan to handle these problems, you will add a step to learn from every incident. You will use a written process to look closely at problems, find out why they truly happened, and decide what steps to take to fix things.
1. Find the True Reason Why
After a security problem is fixed, you should do a root cause analysis (RCA). This means you will look into why the problem started in the first place. Finding the true reason is important to make sure the same problem never happens again.
2. Choose What to Do Next
Once you find the root cause (or causes), you must decide what steps to take. This choice is based on how much risk you are willing to accept. Your management team will review and approve this decision.
- If you decide the risk is small and you will take no action, you must record this choice in your risk register.
- If you choose to take action to lower the risk, you will add this task to your corrective actions log. You will then manage it as a constant effort to improve.
3. Keep Records of Lessons
You must officially write down and keep records of the root cause and the decisions you made. This record is a useful tool for making things better later on, and auditors will also check it.
4. Check if Things Improved
You need to check the lessons you learned and the fixes you made to ensure they are working well. You will usually do this by having an independent internal audit team review the changes.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Your Process is Written Down
You must have a clear, written plan for finding the root cause and handling lessons learned. The auditor will check this document. You need to show that you have reviewed and approved this plan. Most importantly, it must describe what you actually do, not just what you think sounds good.
2. You Can Show the Process Working
The auditor will ask you for proof that your lessons learned process is used. They will pick one real example. For this example, you will need to walk them through the steps you took. You must prove that you followed your written process and that the process worked as planned.
3. You Used What You Learned
The auditor will check that you did more than just write down the lesson. They want to see that you used this knowledge to make continual improvements or take corrective actions. You must show that you not only fixed the problem but that you learned from it and took steps to make the issue less likely to happen again, or eliminated the chance completely.
