ISO 27001:2022 Annex A 5.26 – Response to Information Security Incidents

What Is the Objective of ISO 27001:2022 Annex A 5.26?

Annex A 5.26 is about managing information security incidents, events and weaknesses.

Organisations can maximise the chances of a fast, effective resolution by ensuring that internal and external personnel are fully engaged with published incident management processes and procedures (primarily those created in Annex A Control 5.24).

Ownership of Annex A 5.26

Ideally, Annex A Control 5.26 should be owned by a senior management team member whose responsibilities include overseeing all incident management-related activities, such as the COO.

To drive performance management and eliminate errors, it is also crucial that the owner has direct or indirect control over the performance of personnel involved in analysing and resolving information security incidents.

General Guidance on ISO 27001:2022 Annex A 5.26

If you have other stakeholders and regulators to consider, it is important to assign owners, clarify actions and timescales, and keep the information for audit purposes. ISO 27001 follows the same rules as everything else. It will be the responsibility of the individual dealing with the security event to restore normal security levels.

To ensure prompt and thorough resolution of any information security incidents, a dedicated team should handle each incident with the “required competency” (see Annex A Control 5.26).

As outlined in Annex A Control 5.26, incident management procedures should follow ten main guidelines:

1. Any threats arising from the original event are contained and mitigated.
2. Evidence should be collected and corroborated in the immediate aftermath of an information security incident.
3. Planned escalation, including crisis management (see Annex A Controls 5.29 and 5.30) and business continuity (see Annex A Controls 5.29 and 5.30).
4. Post-mortem analysis requires accurate logging of all incident-related activity, including the initial response.
5. Information security-related incidents should be communicated strictly according to the “need to know” principle.
6. When communicating the broader impact of information security incidents, it is crucial to be mindful of an organisation’s responsibilities towards external organisations (clients, vendors, public bodies, regulators, etc.).
7. An incident must meet strict completion criteria in order to be closed.
8. As per Annex A Control 5.28, forensic analysis is performed.
9. As soon as an incident has been resolved, the underlying cause needs to be identified, recorded, and communicated to all relevant parties (see Annex A Control 5.27).
10. Addressing the underlying vulnerabilities that led to incidents and events related to information security, including identification and modification of internal processes, controls, policies, and procedures.

Supporting Annex A Controls

• ISO 27001:2022 Annex A 5.24
• ISO 27001:2022 Annex A 5.27
• ISO 27001:2022 Annex A 5.28
• ISO 27001:2022 Annex A 5.29
• ISO 27001:2022 Annex A 5.30

What Are the Changes and Differences From ISO 27001:2013?

As of 27001:2022 Annex A 5.26, Annex A 16.1.5 (Response to Information Security Incidents) has been replaced by 27001:2022 Annex A 5.26.

Compared with ISO 27001:2013 Annex A 16.1.5, ISO 27001:2022 Annex A 5.26 adds four areas for consideration:

• In the wake of the original event, it is necessary to contain and mitigate threats.
• A crisis management and continuity of business escalation procedure.
• Identify the exact reason for the incident, and inform all relevant parties of the details.
• The process, control, and policy changes that led to the original incident must be identified and modified.

An incident response team’s primary goal in the early stages of an escalation is to return to a “normal security level”. In contrast, 27001:2022 Annex A 5.26 does not refer to resuming a “normal security level.”.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

What Are the Benefits of ISMS.online for Incident Management in Information Security?

This Annex A control objective has been made extremely easy by ISMS.online with its integrated policy that addresses 16.1.1 – 16.1.7 throughout the lifecycle and the built-in tools that make demonstrating the work very simple. ISMS.online provides a Security Incident Management Tool that simplifies managing information security incidents into a simple, effortless process. This ensures that compliance with the standard is achieved in a pragmatic yet compliant manner.

Similarly to other parts of ISMS.online, you can quickly adapt it to suit your needs. All your work is kept in one place with its elegant integration with related parts of the ISMS. Providing prebuilt statistics and reporting insights simplifies management reviews, reducing time. Should you consider an incident in relation to an improvement, a risk, an audit, or information assets and policies? That’s easy and avoids duplication. The headline in the Security Incident Track is shown below, which helps surface all the work going on. It is easy to filter them and manage resources, categories and incident types to ensure you focus on the most important ones.

You can use the ISMS.online platform to deploy and manage an ISO 27001 Information Security Management System regardless of your previous experience.

With our system, you will be guided through the steps needed to set up and maintain your ISMS effectively.

Get in touch today to book a demo.