ISO/ICE 27035 — Information Security Incident Management
Introduction
Information security organizational structures differ depending on the size and business industry of businesses and organizations. As varied and frequent network incidents (e.g., incursion, hacking) occur and continue to increase every year, organizations’ concerns about information security have grown. However, using network security equipment such as firewalls, IDS, and IPS to manage networks and systems securely and handle many sorts of assaults (such as DoS, Worm, and virus) is difficult.
A dedicated organization is essential to ensure information security and to effectively handle their security incidents. However, establishing IRTs and operating IRT functions such as monitoring, detection, and analysis are not easy. Furthermore, it necessitates effective data or security incident monitoring, detection, analysis, and reaction actions.
Therefore, the following listed international standards provide the guidance on information security incident management. These clauses include sub-clauses which explains the incident response detailed.
Scope
This standard covers the processes of managing the security events, vulnerabilities, and incidents. It also expands the information security incident management section of ISO/IEC 27002 and cross-reference with the ISO27k e-forensics standards. This standard also includes, along with ISO/IEC27035–1 and ISO/IEC27035–2, provides guidance on practical operation and response guidelines to take practical actions against evolving.
ISO/ICE 27035–1, Information Security Incident Management — Part 1: Principles of incident management
Controls and procedures should be in place as part of an organization’s overall information security strategy to enable a disciplined, well-planned approach to the handling of information security incidents. The primary goal of an organization is to avoid or mitigate the impact of information security incidents in order to reduce the direct and indirect damage that the incidents cause to its operations. Because information asset destruction can have a detrimental impact on operations, business and operational perspectives should play a big role in setting more specific information security management goals. Basic concepts and phases of information security incident management are presented, as well as methods for detecting, reporting, assessing, and responding to occurrences, as well as applying the lessons learned.
Scope and Purpose
The part 1 introduces the remaining parts of the standard and explains the concepts and principles that drive information security incident management. It outlines a five-phase information security incident management approach and suggests ways to improve incident management.
Phases
- Plan and Prepare
Appropriate planning and preparation are required for effective information security incident management. An organization should perform a variety of preparation efforts before implementing an efficient and successful information security incident management plan, in this section is to form an Incident Response Team, establish an information security incident management policy.
2. Detection and reporting
The detection of information security events and the existence of information security vulnerabilities, as well as the collecting of information connected with them, are all part of the second phase of information security incident management. This can be done manually or automatically. Events and vulnerabilities may not yet be classified as information security incidents at this stage. Security occurrences are reported in accordance with the organization’s reporting policies, allowing for later examination if necessary.
3. Assessment and decision
The third phase of information security incident management entails evaluating data connected with information security events and deciding whether they should be classified as information security incidents. Following the detection and reporting of an information security event, steps should be taken according to the ISO 27035 standard.
4. Responses
Where appropriate, contain, eradicate, recover from, and forensically investigate the incident.
5. Lessons learnt — as a result of the incidents, make regular improvements to the organization’s management of information risks.
ISO/ICE 27035–1, Information Security Incident Management — Part 2: Guidelines to Plan and Prepare for Incident Response
This provide principles for planning and preparing for incident response, as well as lessons learned from previous incidents. The guidelines are based on the “Plan and Prepare” phase of the “Information Security Incident Management Phases” model given in Part 1 and the “Lessons Learned” phase of the “Information Security Incident Management Phases” model.
Scope and Purpose
This section focuses on ensuring that the organization is prepared to respond appropriately to any future information security issues. It answers the rhetorical question, “Are we ready to respond to an incident?” and encourages people to learn from mistakes in order to improve things in the future. It covers the Plan and Prepare, as well as the Lessons Learned, parts of the procedure outlined in Part 1.
Phases
- Establishing information security incident management policy
- Updating of information security and risk management policies
- Creating information security incident management plan
- Establishing an Incident Response Team
- Defining technical and other support
- Creating information security incident awareness and training
- Testing (or rather exercising) the information security incident management plan
- Lesson learnt
Despite the title, the ISO/IEC 27035 standards are focused on incidents involving IT systems and networks, while the essential principles apply to other types of information as well, such as documentation, knowledge, intellectual property, trade secrets, and personal information. Unfortunately, the language is nearly solely IT-related (at least in my opinion). That, in my opinion, is yet another missed opportunity: ISO27k covers more than IT/cybersecurity. How are businesses supposed to deal with issues like fraud and piracy where IT is only a minor part of the equation?
Another ISO27k standard that might benefit from a more detailed description of the information hazards addressed by the incident management method. Because it is impossible to notice and respond to every single incidence, some risk must be accepted, while others may be shared with third parties or avoided. Furthermore, the response to a large incident may well need the use of business continuity plans, so this standard, in my opinion, should be integrated with ISO 22301 and other standards.
