ISO/IEC WD 27035-1

INTERNATIONAL ISO/IEC
STANDARD 27035-1
Second edition
2023-02
Information technology —
Information security incident
management —
Part 1:
Principles and process
Technologies de l'information — Gestion des incidents de sécurité de
l'information —
Partie 1: Principes et processus
Reference number
ISO/IEC 27035-1:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC 27035-1:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms, definitions and abbreviated terms .............................................................................................................................. 1

3.1 Terms and definitions ...................................................................................................................................................................... 1

3.2 Abbreviated terms .............................................................................................................................................................................. 3

4 Overview ....................................................................................................................................................................................................................... 3

4.1 Basic concepts ......................................................................................................................................................................................... 3

4.2 Objectives of incident management ..................................................................................................................................... 4

4.3 Benefits of a structured approach ........................................................................................................................................ 6

4.4 Adaptability ............................................................................................................................................................................................... 7

4.5 Capability..................................................................................................................................................................................................... 7

4.5.1 General ........................................................................................................................................................................................ 7

4.5.2 Policies, plan and process ........................................................................................................................................... 8

4.5.3 Incident management structure ........................................................................................................................... 8

4.6 Communication ................................................................................................................................................................................... 10

4.7 Documentation .................................................................................................................................................................................... 10

4.7.1 General ..................................................................................................................................................................................... 10

4.7.2 Event report ......................................................................................................................................................................... 10

4.7.3 Incident management log ......................................................................................................................................... 10

4.7.4 Incident report .................................................................................................................................................................. 11

4.7.5 Incident register .............................................................................................................................................................. 11

5 Process ...................................................................... ...................................................................................................................................................11

5.1 Overview ................................................................................................................................................................................................... 11

5.2 Plan and prepare ........................................................................................................................................... .....................................15

5.3 Detect and report .............................................................................................................................................................................. 16

5.4 Assess and decide.............................................................................................................................................................................. 17

5.5 Respond ..................................................................................................................................................................................................... 18

5.6 Learn lessons ........................................................................................................................................................................................ 20

Annex A (informative) Relationship to investigative standards ........................................................................................22

Annex B (informative) Examples of information security incidents and their causes ...............................25

Annex C (informative) Cross-reference table of ISO/IEC 27001 to the ISO/IEC 27035 series ..............29

Annex D (informative) Considerations of situations discovered during the investigation of

an incident ...............................................................................................................................................................................................................31

Bibliography .............................................................................................................................................................................................................................32

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

Any trade name used in this document is information given for the convenience of users and does not

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

This second edition cancels and replaces the first edition (ISO/IEC 27035-1:2016), which has been

— new terms “incident management team” and “incident coordinator” are defined in Clause 3;

A list of all parts in the ISO/IEC 27035 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

The ISO/IEC 27035 series provides additional guidance to the controls on incident management in

ISO/IEC 27002. These controls should be implemented based upon the information security risks that

Information security policies or controls alone do not guarantee total protection of information,

information systems, services or networks. After controls have been implemented, residual

vulnerabilities are likely to remain that can reduce the effectiveness of information security and

facilitate the occurrence of information security incidents. This can potentially have direct and indirect

adverse consequences on an organization's business operations. Furthermore, it is inevitable that new

instances of previously unidentified threats cause incidents to occur. Insufficient preparation by an

organization to deal with such incidents makes any response less effective, and increases the degree of

potential adverse business consequence. Therefore, it is essential for any organization desiring a strong

— plan and prepare information security incident management, including policy, organization, plan,

— detect, report and assess information security incidents and vulnerabilities involved with the

— respond to information security incidents, including the activation of appropriate controls to

— deal with reported information security vulnerabilities involved with the incident appropriately;

— learn from information security incidents and vulnerabilities involved with the incident, implement

and verify preventive controls, and make improvements to the overall approach to information

The ISO/IEC 27035 series is intended to complement other standards and documents that give

guidance on the investigation of, and preparation to investigate, information security incidents. The

ISO/IEC 27035 series is not a comprehensive guide, but a reference for certain fundamental principles

and a defined process that are intended to ensure that tools, techniques and methods can be selected

While the ISO/IEC 27035 series encompasses the management of information security incidents, it also

covers some aspects of information security vulnerabilities. Guidance on vulnerability disclosure and

vulnerability handling by vendors is also provided in ISO/IEC 29147 and ISO/IEC 30111, respectively.

The ISO/IEC 27035 series also intends to inform decision-makers when determining the reliability of

digital evidence presented to them. It is applicable to organizations needing to protect, analyse and

present potential digital evidence. It is relevant to policy-making bodies that create and evaluate

procedures relating to digital evidence, often as part of a larger body of evidence.

This document is the foundation of the ISO/IEC 27035 series. It presents basic concepts, principles and

process with key activities of information security incident management, which provide a structured

approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying

The guidance on the information security incident management process and its key activities given in

this document are generic and intended to be applicable to all organizations, regardless of type, size

or nature. Organizations can adjust the guidance according to their type, size and nature of business

in relation to the information security risk situation. This document is also applicable to external

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

team consisting of appropriately skilled and trusted members of an organization responsible for

leading all information security incident management activities, in coordination with other parties

Note 1 to entry: The head of this team can be called the incident manager who has been appointed by top

team of appropriately skilled and trusted members of an organization that responds to and resolves

Note 2 to entry: Computer Emergency Response Team (CERT ) and Computer Security Incident Response Team

(CSIRT) are specific examples of IRTs in organizations and sectorial, regional, and national entities wanting to

person responsible for leading all incident response (3.1.9) activities and coordinating the incident

Note 1 to entry: An organization can decide to use another term for the incident coordinator.

occurrence indicating a possible breach of information security or failure of controls

related and identified information security event(s) (3.1.4) that can harm an organization's assets or

collaborative activities to handle information security incidents (3.1.5) in a consistent and effective way

application of examinations, analysis and interpretation to aid understanding of an information security

[SOURCE: ISO/IEC 27042:2015, 3.10, modified —“information security” was added to the term and the

phrase “an incident” was replaced by “an information security incident” in the definition.]

actions of detecting, reporting, assessing, responding to, dealing with, and learning from information

actions taken to mitigate or resolve an information security incident (3.1.5), including those taken to

protect and restore the normal operational conditions of an information system and the information

defined organizational function or role serving as the coordinator or focal point of information

Note 1 to entry: The most obvious PoC is the role to whom the information security event is raised.

1) CERT is an example of a suitable product available commercially. This information is given for the convenience

of users of this document and does not constitute an endorsement by ISO or IEC of this product.

— technical/technological, organizational or physical vulnerabilities, partly due to incomplete

implementations of the decided controls, are likely to be exploited, as complete elimination of

— changes in the context (internal and/or external) so that new risks exist or treated risks are no

The occurrence of an information security event does not necessarily mean that an attack has been

successful or that there are any implications on confidentiality, integrity or availability, i.e. not all

Information security incidents can be deliberate (e.g. caused by malware or breach of discipline),

accidental (e.g. caused by inadvertent human error) or environmental (e.g. caused by fire or flood)

and can be caused by technical (e.g. computer viruses) or non-technical (e.g. loss or theft of hardcopy

documents) means. Incidents can include the unauthorized disclosure, modification, destruction, or

unavailability of information, or the damage or theft of organizational assets that contain information.

Annex B provides descriptions of selected examples of information security incidents and their causes

for informative purposes only. It is important to note that these examples are by no means exhaustive.

A threat exploits vulnerabilities (weaknesses) in information systems, services, or networks, causing

the occurrence of information security events and thus potentially causing incidents to information

assets exposed by the vulnerabilities. Figure 1 shows the relationship of objects in an information

NOTE The shaded objects are pre-existing, affected by the unshaded objects that result in an information

Coordination is an important aspect in information security incident management. Many incidents

cross organizational boundaries and cannot be easily resolved by a single organization or, a part of an

organization where the incident has been detected. Organizations should commit to the overall incident

management objectives. Incident management coordination is required across the incident management

process for multiple organizations to work together to handle information security incidents. This is

for example the role of CERTs and CSIRTs. Information sharing is necessary for incident management

coordination, where different organizations share threat, attack, and vulnerability information with

each other so that each organization’s knowledge benefits the other. Organizations should protect

sensitive information during information sharing and communication. See ISO/IEC 27010 for further

It is important to indicate that resolving an information security incident should be done within a

defined time frame to avoid unacceptable damage or a resulting catastrophe. This resolution delay is

As a key part of an organization's overall information security strategy, the organization should

put controls including procedures in place to enable a structured well-planned approach to the

management of information security incidents. From an organization’s perspective, the prime objective

is to avoid or contain the impacts of information security incidents in order to minimize the direct

and indirect damage to its operations caused by the incidents. Since damage to information assets can

have a negative consequence on operations, business and operational perspectives should have a major

influence in determining more specific objectives for information security incident management.

More specific objectives of a structured well-planned approach to incident management should include

a) information security events are detected and efficiently dealt with, in particular deciding whether

b) identified information security incidents are assessed and responded to in the most appropriate

c) the adverse impact(s) of information security incidents on the organization and involved parties

and their operations are minimized by appropriate controls as part of incident response;

d) a link with relevant elements from crisis management and business continuity management

through an escalation process is established. There is a need for a swift transfer of responsibility

and action from incident management to crisis management when the situation requires it, with

this order reversed once the crisis is resolved to allow for a complete resolution of the incident;

e) information security vulnerabilities involved with or discovered during the incident are assessed

and dealt with appropriately to prevent or reduce incidents. This assessment can be done either

by the incident response team (IRT) or other teams within the organization and involved parties,

f) lessons are learnt quickly from information security incidents, related vulnerabilities and their

management. This feedback mechanism is intended to increase the chances of preventing future

information security incidents from occurring, improve the implementation and use of information

security controls, and improve the overall information security incident management plan.

To help achieve these objectives, organizations should ensure that information security incidents

are documented in a consistent manner, using appropriate standards or procedures for incident

categorization, classification, prioritization and sharing, so that metrics can be derived from

aggregated data over a period of time. This provides valuable information to aid the strategic decision

making process when investing in information security controls. The information security incident

management system should be able to share information with relevant internal and external parties.

Another objective associated with this document is to provide guidance to organizations that aim to

meet the information security management system (ISMS) requirements specified in ISO/IEC 27001

which are supported by guidance from ISO/IEC 27002. ISO/IEC 27001 includes requirements related to

information security incident management. Table C.1 provides cross-references on information security

incident management clauses from ISO/IEC 27001 and clauses in this document. ISMS relationships are

also explained in Figure 2. This document can also support the requirements of information security

Figure 2 — Information security incident management in relation to ISMS and applied controls

Using a structured approach to information security incident management can yield significant

To ensure adequate identification of and response to information security events and incidents, it is a

prerequisite that there be a structured process for planning and preparation, detection, reporting and

assessment, and relevant decision-making. This improves overall security by helping to quickly identify

and implement a consistent solution, and thus provides a means of preventing similar information

security incidents in the future. Furthermore, benefits are gained by metrics, sharing and aggregation.

The credibility of the organization can be improved by the demonstration of its implementation of best

A structured approach to information security incident management can assist in reducing the level

of potential adverse business consequences associated with information security incidents. These

consequences can include immediate financial loss and longer-term loss arising from damaged

reputation and credibility. For further guidance on consequence assessment, see ISO/IEC 27005.

For guidance on information and communication technology readiness for business continuity, see

Using a structured approach to information security incident management helps to create a better

focus on incident prevention within an organization, including the development of methods to identify

new threats and vulnerabilities. Analysis of incident-related data enables the identification of patterns

and trends, thereby facilitating a more accurate focus on incident prevention and identification of

A structured approach to information security incident management provides a solid basis for

prioritization when conducting information security incident investigations, including the use of

effective categorization and classification scales. If there are no clear procedures, there is a risk that

investigation activities may be conducted in an overly reactive mode, responding to i