This blog post focuses on the controls A.5.24 to A.5.30. These controls cover topics around security incidents, including management, response, learning and handling of evidence. Business continuity is also covered.
A.5.24 Information security incident management planning and preparation
You need to establish management responsibilities and procedures to ensure a quick, effective and orderly response to information security incidents.
Updating your procedures, job descriptions and provided training for Management to ensure they have a “quick, effective and orderly response to information security incidents” will help to achieve this.
A.5.25 Assessment and decision on information security events
When you have an information security event then you need to assess it and decide if they are to be classified as information security incidents.
Usually, it is the Information Security Officer, in discussion with other technical advisors decides if an event becomes an incident.
Making use of the CIA triad to assess any effects on your systems processing and handling information offers a pragmatic and structured way of assessing the information that you have on an event before determining whether escalating it to an incident is warranted.
The CIA triad assesses whether the confidentiality, integrity and availability of information is compromised, and if so, then an event should be prioritised as an incident.
A.5.26 Response to information security incidents
In ISO 27002 the definition of an information security incident is “single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”.
When you have an information security incident you need to respond to it in accordance with your documented procedures.
To start with, you should have a document procedure for information security incidents. A straightforward procedure, like the following is suitable:
- All information security issues are to be reported and managed through your task management system.
- This includes suspected security weaknesses in systems or services.
- The Improvements module will manage the communication to relevant employees and managers.
- Information security events will be assessed to identify whether they are classified as Information Security Incidents.
- All evidence relating to the investigation will be captured in the Improvement record
A.5.27 Learning from information security incidents
Your knowledge gained from analysing and resolving information security incidents needs to be used to reduce the likelihood or impact of future incidents.
Discuss each incident with appropriate staff in an incident review meeting, where the incident, and responses, actions are reviewed for improvement opportunities. It is important that no blame is apportioned in these meetings, as the objective is to learn and improve. Another option, depending on company size is to discuss in an all-staff meeting. The root causes and the knowledge gained is discussed and debated with all the staff.
A.5.28 Collection of evidence
When you are capturing information security events and incidents you need to define and apply procedures for the identification, collection, acquisition and preservation of information, which can all serve as evidence.
This evidence can include logs, and other information including work tickets, change logs and any other information related to systems affected in an incident.
A.5.29 Information security during disruption
The objective here is to ensure information security continuity is embedded in your organisation’s business continuity planning systems.
This should involve a detailed business continuity planning system and a Business Continuity Plan (BCP). A wide range of employees and contractors are usually involved to get the plan together.
BCPs are quite comprehensive and cover the following topics:
- Company Employees
- Disaster Recovery Team
- Office Infrastructure
- Applications, Hardware and Data
- Customers
- Post emergency process
- Servers and PC Details
Once in place test sections of the plan to ensure the details are correct and that staff are prepared. Business continuity is something you should plan for with knowledge that things out of your control can happen at any time.
The BCP should be reviewed and tested periodically.
A.5.30 ICT readiness for business continuity
This clause aims to ensure that your business’s information and other assets are available during any disruption.
The readiness of your ICT to handle a disruption and ensure business continuity are an important component of business continuity management. ICT continuity requirements are the outcome of a business impact analysis (BIA).
Based on the outputs from the BIA and risk assessment involving ICT services, the organization should identify and select ICT continuity strategies that consider options for before, during and after disruption. The business continuity strategies can comprise one or more solutions. Based on the strategies, plans should be developed, implemented and tested to meet the required availability level of ICT services and in the required time frames following interruption to, or failure of, critical processes.
Take aways
The key items to take away from incident management and business continuity are:
- Define responsibilities and procedures for all staff, and ensure they know them.
- Ensure staff know what they are authorised to do during an incident.
- Report information security events and weaknesses.
- Define criteria for assessing when information security events become incidents.
- Report and respond to information security incidents.
- Collect evidence of events and incidents.
- Learn from any information security events and incidents.
- Read the previous post in the series: Fortifying the Supply Chain: A Guide to Controls A.5.19 - A.5.23
- Read the next post in the series: Navigating Legal, IP and PII Requirements in Controls A.5.31 - A.5.34
DQS Newsletter
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.