ISO27001 and Information security incident management
When we are talking to our clients about steps, they can be taking to improve their management system is stressing the need to capture any incidents that have occurred and improvements that they have made. Rather than thinking about these things as negatives because something was not right, and it created an incident or needed improvement, we help them recharacterize them as what they truly are, gold dust! Any time you find something wrong in your management system it shows you where you need to improve, where the gaps are in the system you have developed, so you can remove them and strengthen your systems. That is one of the key themes behind ISO27001:2013's annex clause 16.1 Management of information security incidents and improvements.
The objective of this clause is simple to understand: "To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses." The ISO27001 Information Security Management Systems (ISMS) standard gives you a perfectly good structure to follow when you are developing your incident management approach as well, just follow the steps!
An Information Security Event is not an Information Security Incident
For clarity before walking through the steps that Annex Clause A16 for Information security incident management has, it is good to pause and make sure there is clarity about the difference between an event and an incident. ISO27001 defines them as:
- Information Security Event: identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant
- Information Security Incident: single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security
A.16.1.1 Responsibilities and procedures – knowing who will do what, when they need to do and how is the basis for any good system. ISO27001 A16.1.1 is all about you developing the required procedures that let your organisation quickly and effectively respond to your information security incidents. Think of it a bit like developing a play book for incidents. Rather than making thing sup as you go a long, a set of predefined procedures lets you walk through things calmly meaning things do not get missed.
A.16.1.2 Reporting information security events – The requirement here is simple, all information security events (as defined above) need to be reported as soon as possible through whatever the organisation has deemed the appropriate channels.
A.16.1.3 Reporting information security weaknesses – Highlighting a weakness in your ISO27001 information security management system or any security system is a good thing, find the weaknesses and fix them, that is the aim of what you are doing. That can only happen if someone is reporting those weaknesses however, hence the requirement of this clause. Employees, contractors, sub-contractors need to note anything they see as a weakness and feed if back into your system so you can take the required action.
A.16.1.4 Assessment of and decision on information security events – Now that we have events and weaknesses being reporting into our ISO27001 ISMS it makes sense that actions are taken to assess them and decide if they are information security incidents. Typically, that will involve your information security officer and members of the management team reviewing and making the best decision they can with the information they have.
A.16.1.5 Response to information security incidents – Once your assessment has been you need to ensure they have been responded to in accordance with your own ISO27001 documented procedures. That response will vary depending on the severity, risk to the business, if it is a single incident or a series of them and any number of other items you have deemed as appropriate in your own system.
A.16.1.6 Learning from information security incidents – Keeping in mind that all the newer ISO standards follow the Plan, Do, Check, Act (PDCA) loop, you should not be surprised that the ISO27001 standard has a requirement for you to look for the learning you can take out of any security incidents (or events for that matter) and understand how you can reduce the likelihood of a reoccurrence or the level of impact of any future incidents. This is needs to be done by the information security officer and the management team then communicated throughout the organisation.
A.16.1.7 Collection of evidence – The organisation needs to develop procedures on how it will keep track of events and incidents and how long will it keep the information which would serve as evidence of it. There are many ways to do this, but this is certainly an area where Mango's Information Security Incident Module comes into its own with a structured process on recording and reporting the incidents.
© Many Caps Consulting | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.