ISO 27001:2022 Annex A 5.24 – Information Security Incident Management Planning and Preparation

What Is the Objective of ISO 27001:2022 Annex A 5.24?

The objective of ISO 27001:2022 Annex A 5.24 is to ensure a consistent and practical approach to managing information security incidents, events, and weaknesses.

Defining how management establishes responsibilities and procedures for addressing weaknesses, events, and security incidents is the definition of suitable control.

The term incident refers to a situation where a loss of confidentiality, integrity, or availability has occurred.

In order to plan an incident response, event response or weakness response, your leadership must define those procedures in advance of an incident occurring. Those procedures are easy to develop since the remainder of this Annex A control spells them out. You must demonstrate that these formal, documented procedures work with your auditor.

What Is The Purpose of Annex A 5.24?

An incident management approach to information security can be seen in Annex A Control 5.24.

This control describes how organisations should deal with incidents related to information security by creating efficient processes, planning adequately, and defining clearly defined roles and responsibilities.

It emphasises constructive communication and professional responses to high-pressure scenarios, especially when dealing with commercially sensitive personal information.

Its purpose is to minimise any commercial or operational damage caused by critical information security events by establishing a standard set of incident management procedures.

Ownership of ISO 27001:2022 Annex A 5.24

In a broader sense, an incident management strategy is typically used to manage service-related incidents. Control 5.24 in Annex A deals specifically with incidents and breaches related to information security.

Due to the sensitive nature of these events, CISOs or equivalents of an organisation should take ownership of Control 5.24.

Since CISOs are usually employed by large companies, ownership could also be held by the COO or Service Manager according to the nature of the organisation.

Guidance on Roles and Responsibilities

To achieve the most effective results in incident management, an organisation’s staff must work together to solve specific problems.

Annex A Control 5.24 specifies 5 main guidelines on how organisations can make their information management operations more efficient and cohesive.

It is critical for organisations to:

1. Develop and document a homogeneous method for reporting security events. This should also include establishing a single point of contact for all such events.
2. Implement Incident Management processes for handling information security-related incidents across various technical and administrative areas:
• Administration
• Documentation
• Detection
• Triage
• Prioritisation
• Analysis
• Communication

Create an incident response procedure so that incidents can be assessed and responded to by the organisation. A company should also consider the need to learn from incidents once they have been resolved. This prevents recurrences and provides staff with historical context for future scenarios.

Make sure that only trained and competent personnel are involved in incidents. In addition, make sure that they have full access to procedure documentation and are provided with regular refresher training that is directly related to information security incidents.

Identify staff members’ training needs in resolving information security-related incidents by establishing a process. Staff should be allowed to highlight professional development needs related to information security and vendor-specific certifications.

Guidance on Management of Incidents

An organisation should manage information security incidents to ensure that all people involved in resolving them understand three major areas:

1. An incident’s resolution time.
2. Possible repercussions.
3. Incident severity.

All processes must work together harmoniously to maintain these three variables as top priorities:

• In Annex A Control 5.24, eight main activities must be addressed when resolving information security-related incidents.
• Event potential must be evaluated based on strict criteria that validate it as an approved security incident.
• Events and incidents relating to information security should be managed as follows, either manually or via process automation:
• Monitoring (see Annex A Controls 8.15 and 8.16).
• Detection (see Annex A Control 88.16).
• Classification (see Annex A Control 5.25).
• Analysis.
• Reporting (see Annex A Control 6.8).

A successful conclusion to an information security incident should include the following procedures:

• Depending on the incident type, response and escalation (see Annex A Control 5.26) are required.
• Case-by-case activation of crisis management or business continuity plans.
• Recovery from an incident in a manner that minimises any operational or financial damage.
• Communication with all internal and external parties regarding incident-related events.
• The ability to work collaboratively with internal and external personnel (see Annex A Control 5.5 and 5.6).
• All incident management activities should be logged, easily accessible, and transparent.

Compliance with external and internal guidelines and regulations regarding the handling of evidence (including data and conversations) (see Annex A Control 5.28).

A thorough investigation and root cause analysis will be conducted once the incident has been resolved.

A comprehensive description of any improvements needed to prevent the incident from recurring, including any changes to the incident management process.

Guidance on Reporting Guidelines

An Incident Management policy should focus on reporting activities to ensure information is disseminated accurately throughout the organisation. Reporting activities should concentrate on four main areas:

1. An information security event requires specific actions to be taken.
2. Using incident forms, personnel can record information clearly and concisely.
3. Inform personnel of the outcome of information security incidents once they have been resolved through feedback processes.
4. All relevant information about an incident is documented in incident reports.

Annex A Control 5.24 needs guidance on how to comply with external reporting requirements (e.g. regulatory guidelines and prevailing legislation). Despite this, organisations should coordinate a response that meets all legal, regulatory, and sector-specific requirements by sharing information about incidents with all relevant parties.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.25
• ISO 27001:2022 Annex A 5.26
• ISO 27001:2022 Annex A 5.5
• ISO 27001:2022 Annex A 5.6
• ISO 27001:2022 Annex A 6.8
• ISO 27001:2022 Annex A 8.15
• ISO 27001:2022 Annex A 8.16

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.24 replaces ISO 27001:2013 Annex A 16.1.1 (‘Management of Information Security Incidents and Improvements‘).

It is acknowledged in Annex A 5.24 that organisations must undergo thorough preparation to be resilient and compliant when faced with information security incidents.

In this regard, 27001:2022 A.5.24 provides a comprehensive breakdown of the steps an organisation must take across role delegation, incident management, and reporting functions, as well as references to other ISO controls that help organisations gain a more comprehensive view of incident management as a whole, not merely relating to information security incidents.

There are three distinct areas to consider when compartmentalising incident management operations in ISO 27001:2022 Annex A 5.24 as opposed to ISO 27001:2013 Annex A 16.1.1:

• Responsibilities and roles.
• Processes for managing incidents.
• The reporting process.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

Information Security Incident Management: How Does ISMS.online Help?

ISMS.online provides an integrated policy for addressing 16.1.1 – 16.1.7 throughout the life cycle and built-in tools that you can use to demonstrate this. Security incident management is a simple, effortless process with ISMS.online’s Security Incident Management Tool. A comprehensive incident management plan guides an incident through all key stages, ensuring the standard is being met in a pragmatic but compliant manner.

With ISMS.online, you can quickly adapt it as required. The prebuilt statistics and reporting insights help make management reviews much more straightforward and save time, as they tie together elegantly with related parts of the ISMS. Would you like to link a specific incident to an improvement, a risk, an audit, or an information asset and the policies you need to consider?

A headline of the Security Incident Track is shown below, which helps surface all the work being done. That’s easy and avoids duplication of work as well. To ensure you are focusing on the most important things first, you can filter them and manage resources, categories, and incident types.

ISMS.online Allows You To:

• Implement an ISMS that complies with ISO 27001 requirements.
• Demonstrate compliance with the standard’s requirements by performing tasks and submitting proof.
• Ensure compliance with the law by allocating tasks and tracking progress.
• Ensure compliance with the help of a dedicated team of advisors.

Get in touch with us today to schedule a demo.