A single cyber attack, such as data breach, malware, ransomware or DDoS attack, cost companies in the U.S. a median of $18,000 in 2022. That is up from $10,000 in 2021, with 47% of all U.S. business suffering a cyber-attack in some form. Nearly half of all U.S. businesses suffered from a cyber-attack in 2022, with 40% of those attacks being landed with costs of $25,000 or more. Hence, implementing an effective risk-management system is critical in ensuring the security and safety of an organization. ISO/IEC 27035-1:2023—Information Technology – Information Security Incident Management – Part 1: Principles And Process details generic principles in implementing an incident management approach for information security systems.
The ISO/IEC 27035-1:2023 Standard for Information Technology
ISO/IEC 27035-1:2023 presents basic concepts, principles, and processes with key activities of information security incident management: the process of protecting an organization’s data and assets against potential threats. The standard further provides a generic and structured approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying lessons learned to information security systems. All organizations—regardless of size, type, and nature of their business in relation to the information security risk situation—can apply the guidance in ISO/IEC 27035-1:2023.
IEC 27035 – IT Incident Management Set provides the foundation to establish the principles and guidelines for an information security incident management system and includes the following standards:
- ISO/IEC 27035-1:2023—Information Technology – Information Security Incident Management – Part 1: Principles And Process
- ISO/IEC 27035-2:2023— Information Technology – Information Security Incident Management – Part 2: Guidelines To Plan And Prepare For Incident Response
- ISO/IEC 27035-3:2020—Information Technology – Information Security Incident Management – Part 3: Guidelines For ICT Incident Response Operations
The ISO/IEC 27035 Series
ISO/IEC 27035-1:2023 is the foundation of the ISO/IEC 27035 series, encompassing the management of information security incidents and covering some aspects of information security vulnerabilities. The series provides additional guidance to the controls on incident management in ISO/IEC 27002 and the guidance on vulnerability disclosure and vulnerability handling by vendors is provided in ISO/IEC 29147 and ISO/IEC 30111. The ISO/IEC 27035 series is applicable to organizations needing to protect, analyze, and present potential digital evidence as well as to policy-making bodies that create and evaluate procedures relating to digital evidence.
What Are Steps for Planning a Strong Information Security System?
Information security policies or controls alone do not guarantee total protection of information, information systems, services or networks as residual vulnerabilities are likely to remain. Some vulnerabilities that occur are due to human errors, technology failing, risk assessment being incomplete or omitted, risk treatment not sufficiently covering risks, or changes in the context that do not sufficiently cover treated risk or enable new risks to exist. Therefore, ISO/IEC 27035-1:2023 maintains that it is essential for any organization desiring a strong information security program to have a structured and planned approach to:
- Plan and prepare information security incident management, including policy, organization, plan, technical support, awareness and skills training, etc.
- Detect, report and assess information security incidents and vulnerabilities involved with the incident
- Respond to information security incidents, including the activation of appropriate controls to prevent, reduce, and recover from impact
- Deal with reported information security vulnerabilities involved with the incident appropriately
- Learn from information security incidents and vulnerabilities involved with the incident, implement and verify preventive controls, and make improvements to the overall approach to information security incident management
ISO/IEC 27001:2022 – Information Security Management Systems explains other critical controls and measures in implementing a strong information security system. With more and more employees working-from-home since the COVID-19 pandemic, and 47% of people working remotely falling victim to scams, it is becoming ever more important in securing a robust information security management systems. In order to demonstrate adherence to ISO/IEC 27001, organizations can achieve certification to the requirements of ISO/IEC 27001, which demonstrates that their investment in the people, processes, and technology (e.g., tools and systems) to protect their data and provides an independent, expert assessment of whether their data is sufficiently protected. The ANSI National Accreditation Board (ANAB) accredits bodies that issue certificates to ISO/IEC 27001 for information security management systems.
Documenting an Incident/Event Report in ISO/IEC 27035-1:2023
ISO/IEC 27035-1:2023 states that it is crucial to document as much information as possible related to the incident/event from its detection through to its resolution. The incident report is the synthesis of all this information, serving to analyze and evaluate the incident. Moreover, the event report should contain all that is necessary to understand the event and make a decision regarding whether to classify the event as an incident. Key information in documenting an event report includes date and time of the detection, name of informant which can however be hidden to keep confidentiality, and all circumstances and facts for comprehension of the event.
What Are the ISO/IEC 27035-1:2023 Incident Response Phases?
The main objective of information security management is to prevent data breaches. For example, the prevention of data breaches begins with risk management, in which an organization identifies its information assets and the ways they can be compromised. The basic risk-management and incident response process in ISO/IEC 27035-1:2023 consists of five distinct phases:
1. Plan and Prepare
- Formulate and document information security management policies and obtain commitment on top management
- Update information security policies, including those related to risk-management at the organizational and system, service, and network levels
- Establish incident response management team
- Test information security management plan
2. Detect and Report
- Collect situational awareness information from local environment and external data sources and new feeds
- Detect and alert on anomalous, suspicious, or malicious activities
- Report information security events
3. Assess and Decide
- Assess information security event and determine if it constitutes information security incident
- Establish the necessary incident response team(s)
- Investigate and determine whether information security incidents are under control
- Contain and eradicate information security incidents
5. Learn Lessons
- Identify, document, and communicate the lessons learnt
- Identify and make improvements to information security
- Evaluate the performance and effectiveness of the incident response team(s)
ISO/IEC 27035-1:2023—Information Technology – Information Security Incident Management – Part 1: Principles And Process is available on the ANSI Webstore.