ISO 27001 Information Security Management Standard

Part 35 - A16 Information Security Incident Management

A key part of any management system is the capturing of incidents and improvements.

ISO 27001 is no different.

Any time you have an incident it is like finding gold. An incident gives you an indication that you have a weakness in your management system. An incident shows your where your weaknesses are. It can show you where your vulnerabilities are.

The objective of this clause of the annex A is to ensure your organisation has a consistent and effective approach to the management of information security incidents. This includes the communication of security events and weaknesses.

The clause breaks the requirements into 7 areas for you to manage:

Responsibilities and procedures.
Reporting information security events
Reporting information security weaknesses
Assessment of and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence

Information-security-Incident-management

A.16.1.1 Responsibilities and procedures

You need to establish management responsibilities and procedures to ensure a quick, effective and orderly response to information security incidents.

Here at Mango we updated our procedures, job descriptions and provided training for Management to ensure they have a “quick, effective and orderly response to information security incidents”.

A.16.1.2 Reporting Information Security Events

In ISO 2700 the definition of an information security events is “identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant”.

So those events need to be reported through appropriate management channels as quickly as possible.

Events aren’t incidents. So you need to treat them cautiously as in time they may become an incident.

For example here at Mango CERT NZ sends out alerts about know security issues. Mango’s Security Information Officer then notifies staff of these events and logs then in Mango as an Information Security Event.

A.16.1.3 Reporting Information Security Weaknesses

For this clause your employees and contractors are required to note and report any observed or suspected information security weaknesses in systems or services.

As hackers and malware are becoming more and more cunning your employees and contractors need to be alert at all times to strange behaviour or weaknesses. Anything suspicious needs to be reported even if there is no issue.

Here at Mango we talk about this monthly at our all company Management Review meeting. We discuss each information security event and look for patterns and the like.

A.16.1.4 Assessment of and Decision on Information Security Events

When you have an information security event then you need to assess it and decide if they are to be classified as information security incidents.

Here at Mango the Information Security Officer, in discussion with other technical advisors decides if an event becomes an incident.

A.16.1.5 Response to Information Security Incidents

In ISO 2700 the definition of an information security incident is “single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”.

When you have an information security incidents you need to respond to it in accordance with your documented procedures.

Here at Mango we have a document procedure for information security incidents.

The procedure is straight forward. Here it is here:

All information security issues are to be reported and managed through the Improvement module in Mango.
This includes suspected security weaknesses in systems or services.
The Improvements module will manage the communication to relevant employees and managers
Information security events will be assessed to identify whether they are classified as Information Security Incidents.
All evidence relating to the investigation will be captured in the Improvement record

A.16.1.6

Your knowledge gained from analysing and resolving information security incidents needs to be used to reduce the likelihood or impact of future incidents.

Here at Mango we discuss each incident in the all staff Management Review meeting. The root causes and the knowledge gained is discussed and debated with all the staff.

A.16.1.7

When you are capturing information security events and incidents you need to define and apply procedures for the identification, collection, acquisition and preservation of information, which can all serve as evidence.

Here at Mango the Mango application captures all this evidence for us.