ISO 27001:2022 Annex A Control 5.24

Information Security Incident Management Planning and Preparation

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

What Is the Objective of ISO 27001:2022 Annex A 5.24?

The objective of ISO 27001:2022 Annex A 5.24 is to ensure a consistent and practical approach to managing information security incidents, events, and weaknesses.

Defining how management establishes responsibilities and procedures for addressing weaknesses, events, and security incidents is the definition of suitable control.

The term incident refers to a situation where a loss of confidentiality, integrity, or availability has occurred.

In order to plan an incident response, event response or weakness response, your leadership must define those procedures in advance of an incident occurring. Those procedures are easy to develop since the remainder of this Annex A control spells them out. You must demonstrate that these formal, documented procedures work with your auditor.

What Is The Purpose of Annex A 5.24?

An incident management approach to information security can be seen in Annex A Control 5.24.

This control describes how organisations should deal with incidents related to information security by creating efficient processes, planning adequately, and defining clearly defined roles and responsibilities.

It emphasises constructive communication and professional responses to high-pressure scenarios, especially when dealing with commercially sensitive personal information.

Its purpose is to minimise any commercial or operational damage caused by critical information security events by establishing a standard set of incident management procedures.

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Ownership of ISO 27001:2022 Annex A 5.24

In a broader sense, an incident management strategy is typically used to manage service-related incidents. Control 5.24 in Annex A deals specifically with incidents and breaches related to information security.

Due to the sensitive nature of these events, CISOs or equivalents of an organisation should take ownership of Control 5.24.

Since CISOs are usually employed by large companies, ownership could also be held by the COO or Service Manager according to the nature of the organisation.

Guidance on Roles and Responsibilities

To achieve the most effective results in incident management, an organisation’s staff must work together to solve specific problems.

Annex A Control 5.24 specifies 5 main guidelines on how organisations can make their information management operations more efficient and cohesive.

It is critical for organisations to:

  1. Develop and document a homogeneous method for reporting security events. This should also include establishing a single point of contact for all such events.
  2. Implement Incident Management processes for handling information security-related incidents across various technical and administrative areas:
    • Administration
    • Documentation
    • Detection
    • Triage
    • Prioritisation
    • Analysis
    • Communication

Create an incident response procedure so that incidents can be assessed and responded to by the organisation. A company should also consider the need to learn from incidents once they have been resolved. This prevents recurrences and provides staff with historical context for future scenarios.

Make sure that only trained and competent personnel are involved in incidents. In addition, make sure that they have full access to procedure documentation and are provided with regular refresher training that is directly related to information security incidents.

Identify staff members’ training needs in resolving information security-related incidents by establishing a process. Staff should be allowed to highlight professional development needs related to information security and vendor-specific certifications.

Guidance on Management of Incidents

An organisation should manage information security incidents to ensure that all people involved in resolving them understand three major areas:

  1. An incident’s resolution time.
  2. Possible repercussions.
  3. Incident severity.

All processes must work together harmoniously to maintain these three variables as top priorities:

  • In Annex A Control 5.24, eight main activities must be addressed when resolving information security-related incidents.
  • Event potential must be evaluated based on strict criteria that validate it as an approved security incident.
  • Events and incidents relating to information security should be managed as follows, either manually or via process automation:
    • Monitoring (see Annex A Controls 8.15 and 8.16).
    • Detection (see Annex A Control 88.16).
    • Classification (see Annex A Control 5.25).
    • Analysis.
    • Reporting (see Annex A Control 6.8).

A successful conclusion to an information security incident should include the following procedures:

  • Depending on the incident type, response and escalation (see Annex A Control 5.26) are required.
  • Case-by-case activation of crisis management or business continuity plans.
  • Recovery from an incident in a manner that minimises any operational or financial damage.
  • Communication with all internal and external parties regarding incident-related events.
  • The ability to work collaboratively with internal and external personnel (see Annex A Control 5.5 and 5.6).
  • All incident management activities should be logged, easily accessible, and transparent.

Compliance with external and internal guidelines and regulations regarding the handling of evidence (including data and conversations) (see Annex A Control 5.28).

A thorough investigation and root cause analysis will be conducted once the incident has been resolved.

A comprehensive description of any improvements needed to prevent the incident from recurring, including any changes to the incident management process.

Guidance on Reporting Guidelines

An Incident Management policy should focus on reporting activities to ensure information is disseminated accurately throughout the organisation. Reporting activities should concentrate on four main areas:

  1. An information security event requires specific actions to be taken.
  2. Using incident forms, personnel can record information clearly and concisely.
  3. Inform personnel of the outcome of information security incidents once they have been resolved through feedback processes.
  4. All relevant information about an incident is documented in incident reports.

Annex A Control 5.24 needs guidance on how to comply with external reporting requirements (e.g. regulatory guidelines and prevailing legislation). Despite this, organisations should coordinate a response that meets all legal, regulatory, and sector-specific requirements by sharing information about incidents with all relevant parties.

Accompanying Annex A Controls

  • ISO 27001:2022 Annex A 5.25
  • ISO 27001:2022 Annex A 5.26
  • ISO 27001:2022 Annex A 5.5
  • ISO 27001:2022 Annex A 5.6
  • ISO 27001:2022 Annex A 6.8
  • ISO 27001:2022 Annex A 8.15
  • ISO 27001:2022 Annex A 8.16

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.24 replaces ISO 27001:2013 Annex A 16.1.1 (‘Management of Information Security Incidents and Improvements‘).

It is acknowledged in Annex A 5.24 that organisations must undergo thorough preparation to be resilient and compliant when faced with information security incidents.

In this regard, 27001:2022 A.5.24 provides a comprehensive breakdown of the steps an organisation must take across role delegation, incident management, and reporting functions, as well as references to other ISO controls that help organisations gain a more comprehensive view of incident management as a whole, not merely relating to information security incidents.

There are three distinct areas to consider when compartmentalising incident management operations in ISO 27001:2022 Annex A 5.24 as opposed to ISO 27001:2013 Annex A 16.1.1:

  • Responsibilities and roles.
  • Processes for managing incidents.
  • The reporting process.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Information Security Incident Management: How Does ISMS.online Help?

ISMS.online provides an integrated policy for addressing 16.1.1 – 16.1.7 throughout the life cycle and built-in tools that you can use to demonstrate this. Security incident management is a simple, effortless process with ISMS.online’s Security Incident Management Tool. A comprehensive incident management plan guides an incident through all key stages, ensuring the standard is being met in a pragmatic but compliant manner.

With ISMS.online, you can quickly adapt it as required. The prebuilt statistics and reporting insights help make management reviews much more straightforward and save time, as they tie together elegantly with related parts of the ISMS. Would you like to link a specific incident to an improvement, a risk, an audit, or an information asset and the policies you need to consider?

A headline of the Security Incident Track is shown below, which helps surface all the work being done. That’s easy and avoids duplication of work as well. To ensure you are focusing on the most important things first, you can filter them and manage resources, categories, and incident types.

ISMS.online Allows You To:

  • Implement an ISMS that complies with ISO 27001 requirements.
  • Demonstrate compliance with the standard’s requirements by performing tasks and submitting proof.
  • Ensure compliance with the law by allocating tasks and tracking progress.
  • Ensure compliance with the help of a dedicated team of advisors.

Get in touch with us today to schedule a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.