ISO/IEC 27035-2:2016

INTERNATIONAL ISO/IEC
STANDARD 27035-2
First edition
2016-11-01
Information technology — Security
techniques — Information security
incident management —
Part 2:
Guidelines to plan and prepare for
incident response
Technologies de l’information — Techniques de sécurité — Gestion
des incidents de sécurité de l’information —
Partie 2: Lignes directrices pour planifier et préparer une réponse aux
incidents
Reference number
ISO/IEC 27035-2:2016(E)
©
ISO/IEC 2016

---------------------- Page: 1 ----------------------
ISO/IEC 27035-2:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27035-2:2016(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 2
3.1 Terms and definitions . 2
3.2 Abbreviated terms . 2
4 Information security incident management policy . 3
4.1 General . 3
4.2 Involved parties . 3
4.3 Information security incident management policy content . 4
5 Updating of information security policies . 6
5.1 General . 6
5.2 Linking of policy documents . 6
6 Creating information security incident management plan . 6
6.1 General . 6
6.2 Information security incident management plan built on consensus. 7
6.3 Involved parties . 8
6.4 Information security incident management plan content . 8
6.5 Incident classification scale .12
6.6 Incident forms .12
6.7 Processes and procedures .12
6.8 Trust and confidence .13
6.9 Handling confidential or sensitive information .14
7 Establishing an incident response team (IRT) .14
7.1 General .14
7.2 IRT types and roles .14
7.3 IRT staff .16
8 Establishing relationships with other organizations .19
8.1 General .19
8.2 Relationship with other parts of the organization .19
8.3 Relationship with external interested parties .20
9 Defining technical and other support.20
9.1 General .20
9.2 Examples of technical support .22
9.3 Examples of other support .22
10 Creating information security incident awareness and training .22
11 Testing the information security incident management plan.24
11.1 General .24
11.2 Exercise .24
11.2.1 Defining the goal of the exercise .24
11.2.2 Defining the scope of an exercise .25
11.2.3 Conducting an exercise .25
11.3 Incident response capability monitoring .26
11.3.1 Implementing an incident response capability monitoring program .26
11.3.2 Metrics and governance of incident response capability monitoring .26
12 Lessons learned .27
12.1 General .27
12.2 Identifying the lessons learned.27
© ISO/IEC 2016 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 27035-2:2016(E)

12.3 Identifying and making improvements to information security control implementation .28
12.4 Identifying and making improvements to information security risk assessment
and management review results .28
12.5 Identifying and making improvements to the information security incident
management plan .28
12.6 IRT evaluation .29
12.7 Other improvements .30
Annex A (informative) Legal and regulatory aspects .31
Annex B (informative) Example information security event, incident and vulnerability
reports and forms .34
Annex C (informative) Example approaches to the categorization and classification of
information security events and incidents .46
Bibliography .57
iv © ISO/IEC 2016 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27035-2:2016(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security
techniques.
This first edition of ISO/IEC 27035-2, together with ISO/IEC 27035-1, cancels and replaces
ISO/IEC 27035:2011, which has been technically revised.
ISO/IEC 27035 consists of the following parts, under the general title Information technology — Security
techniques — Information security incident management:
— Part 1: Principles of incident management
— Part 2: Guidelines to plan and prepare for incident response
Further parts may follow.
© ISO/IEC 2016 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 27035-2:2016(E)

Introduction
ISO/IEC 27035 is an extension of ISO/IEC 27000 series of standards and it focuses on information
security incident management which is identified in ISO/IEC 27000 as one of the critical success factor
for the information security management system.
There can be a large gap between an organization’s plan for an incident and an organization knowing it is
prepared for an incident. Therefore, this part of ISO/IEC 27035 addresses the development of guidelines
to increase the confidence of an organization’s actual readiness to respond to an information security
incident. This is achieved by addressing the policies and plans associated with incident management, as
well as how to establish the incident response team and improve its performance over time by adopting
lessons learned and by evaluation.
vi © ISO/IEC 2016 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27035-2:2016(E)
Information technology — Security techniques —
Information security incident management —
Part 2:
Guidelines to plan and prepare for incident response
1 Scope
This part of ISO/IEC 27035 provides the guidelines to plan and prepare for incident response.
The guidelines are based on the “Plan and Prepare” phase and the “Lessons Learned” phase of the
“Information security incident management phases” model presented in ISO/IEC 27035-1.
The major points within the “Plan and Prepare” phase include the following:
— information security incident management policy and commitment of top management;
— information security policies, including those relating to risk management, updated at both
corporate level and system, service and network levels;
— information security incident management plan;
— incident response team (IRT) establishment;
— establish relationships and connections with internal and external organizations;
— technical and other support (including organizational and operational support);
— information security incident management awareness briefings and training;
— information security incident management plan testing.
The principles given in this part of ISO/IEC 27035 are generic and intended to be applicable to all
organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this
part of ISO/IEC 27035 according to their type, size and nature of business in relation to the information
security risk situation. This part of ISO/IEC 27035 is also applicable to external organizations providing
information security incident management services.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27035-1:2016, Information technology — Security techniques — Information security incident
management — Part 1: Principles of incident management
© ISO/IEC 2016 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 27035-2:2016(E)

3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27035-1
and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1.1
users
people or organizations that utilise services provided by the incident response team (IRT)
Note 1 to entry: Users can be internal (within the organization) or external (outside the organization).
3.2 Abbreviated terms
CD compact disk
CERT computer emergency response team, sometimes also referred as incident response team
(IRT) or computer security response team (CSIRT)
DNS domain name system
DVD digital versatile disk
ICMP internet control message protocol
IDS intrusion detection system
IPv4 internet protocol v4
IPv6 internet protocol v6
IRT incident response team
ISP internet service provider
PoC point of contact
SMTP simple mail transfer protocol
SSL secure sockets layer protocol
TCP transmission control protocol
TLP traffic light protocol
TLS transport layer security protocol
UDP user datagram protocol
WiFi wireless fidelity
2 © ISO/IEC 2016 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 27035-2:2016(E)

4 Information security incident management policy
4.1 General
NOTE Clause 4, in its entirety, links to ISO/IEC 27035-1:2016, 5.2 a).
An organization information security incident management policy should provide the formally
documented principles and intentions used to direct decision-making and ensure consistent and
appropriate implementation of processes, procedures, etc. with regard to this policy.
Any information security incident management policy should be part of the information security
strategy for an organization. It should also support the existing mission of its parent organization and
be in line with already existing policies and procedures.
An organization should implement an information security incident management policy that outlines
the processes, responsible persons, authority and reporting lines (specifically the primary point of
contact for reporting suspected incidents) when an information security incident occurs. The policy
should be reviewed regularly to ensure it reflects the latest organizational structure, processes, and
technology that can affect incident response. The policy should also outline any awareness and training
initiatives within the organization that is related to incident response (see Clause 10).
An organization should document its policy for managing information security events, incidents and
vulnerabilities as a free-standing document, as part of its overall information security management
system policy (see ISO/IEC 27001:2013, 5.2), or as part of its Information Security Policies (see
ISO/IEC 27002:2013, 5.1.1). The size, structure and business nature of an organization and the extent
of its information security incident management program are deciding factors in determining which
of these options to adopt. An organization should direct its information security incident management
policy at every person having legitimate access to its information systems and related locations.
Before the information security incident management policy is formulated, the organization should
identify the following regarding its information security incident management:
a) objectives;
b) interested parties internally and externally;
c) specific incident types and vulnerabilities that need to be highlighted;
d) any specific roles that need to be highlighted;
e) benefits to the whole organization and to its departments.
4.2 Involved parties
A successful information security incident management policy should be created and implemented as
an enterprise-wide process. To that end, all stakeholders or their representatives should be involved
in the development of the policy from the initial planning stages through the implementation of any
process or response team. This may include legal advisors, public relations and marketing staff,
departmental managers, security staff, system and network administrators, ICT staff, helpdesk staff,
upper-level management, and, in some cases, even facilities staff.
An organization should ensure that its information security incident management policy is approved by
a member of top management, with commitment from all of top management.
Ensuring continued management commitment is vital for the acceptance of a structured approach to
information security incident management. Personnel need to recognize an incident, know what to do
and understand the benefits of the approach by the organization. Management needs to be supportive
of the information security incident policy to ensure that the organization commits to resourcing and
maintaining an incident response capability.
© ISO/IEC 2016 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 27035-2:2016(E)

The information security incident management policy should be made available to every employee and
contractor and should also be addressed in information security awareness briefings and training.
4.3 Information security incident management policy content
The information security incident management policy should be high-level. Detailed information and
step-by-step instructions should be included in the series of documents that make up the information
security incident management plan, which is outlined in Clause 6.
An organization should ensure that its information security incident management policy content
addresses, but is not limited to, the following topics.
a) The purpose, objectives and the scope (to whom it applies and under what circumstances) of
the policy.
b) Policy owner and review cycle.
c) The importance of information security incident management to the organization and top
management’s commitment to it and the related plan documentation.
d) A definition of what a security incident is.
e) A description of the type of security incidents or categories (or a reference to another document
which describes this in more depth).
f) A description of how incidents should be reported, including what to report, the mechanisms used
for reporting, where and to whom to report.
g) A high-level overview or visualization of the incident management process flow (showing the basic
steps for handling a security incident) from detection, through reporting, information collection,
analysis, response, notification, escalation, and resolution.
h) A requirement for post information security incident resolution activities, including learning from
and improving the process, following the resolution of information security incidents.
i) If appropriate, also a summary of vulnerability reporting and handling (although this could be a
separate policy document).
j) Defined set of roles, responsibilities, and decision-making authority for each phase of the
information security incident management process and related activities (including vulnerability
reporting and handling if appropriate).
k) A reference to the document describing the event and incident classification, severity ratings (if
used) and related terms. The overview should either contain a description of what constitutes an
incident or a reference to the document where that is described.
l) An overview of the IRT, encompassing the IRT organizational structure, key roles, responsibilities,
and authority, along with summary of duties including, but not limited to, the following:
1) reporting and notification requirements related to incidents that have been confirmed;
2) briefing top management on incidents;
3) dealing with enquiries, instigating follow up, and resolving incidents;
4) liaising with the external organizations (when necessary);
5) requirement and rationale for ensuring all information security incident management activities
performed by the IRT are properly logged for later analysis.
m) A requirement that components across the organization work in collaboration to detect, analyse,
and respond to information security incidents.
4 © ISO/IEC 2016 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 27035-2:2016(E)

n) A description of any oversight or governance structure and its authority and duties, if applicable.
o) Links to organizations providing specific external support such as forensics teams, legal counsel,
other IT operations, etc.
p) A summary of the legal and regulatory compliance requirements or mandates associated with
information security incident management activities (for more details, see Annex A).
q) A list and reference to other policies, procedures, and documents that support the information
security incident management process and related activities. Many of the items listed in the policy
may have their own more detailed procedures or guidance documents.
There are other related policies or procedures that will support the information security incident
management policy and could also be established as part of the preparation phase, if they don’t already
exist and if they are appropriate for the organization. These include, but are not limited to, the following.
— An information security incident management plan, described in Clause 6.
— A continuous monitoring policy stating that such activity is conducted by the organization and
describing the basic monitoring tasks. Continuous monitoring ensures preservation of electronic
evidence in case it is required for legal prosecution or internal disciplinary action.
— Authority granting the IRT access to the outputs of this monitoring or the ability to request logs as
needed from other parts of the operation (this could also be put in the information security incident
management policy).
— Information sharing, disclosure and communication policies which outline how and when
information related to incident management activities can be shared and with whom. Information
should be kept confidential and only disclosed according to the relevant legislation. In many
instances, legislation requires affected parties to be notified should any personal identifiable
information be compromised. Apart from the legal requirements, information should also follow
any organizational requirements for disclosure. Information may need to be shared in the course
of incident handling when a third party needs to be involved or modified. The scope, circumstances
and purpose of this information sharing need to be described, or referenced, in the appropriate
policies and procedures. An example of information disclosure guidance and markings is the use
of Traffic Light Protocol (TLP). An example of TLP guidance can be seen at https://www.us-cert.
gov/tlp.
— Information storage and handling policies which require records, data, and other information
related to investigations to be stored securely and handled in a manner commensurate with their
sensitivity. If the organization has a document labelling or classification schema, this policy will
also be important to information security incident management activities and personnel.
— An IRT charter that specifies in more detail what the IRT is to do and the authority under which it
operates. At a minimum, the charter should include a mission state
...