ISO/IEC 27035-2:2023
(Main)Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response
Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response
This document provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the “plan and prepare” and “learn lessons” phases of the information security incident management phases model presented in ISO/IEC 27035-1:2023, 5.2 and 5.6. The major points within the “plan and prepare” phase include: — information security incident management policy and commitment of top management; — information security policies, including those relating to risk management, updated at both organizational level and system, service and network levels; — information security incident management plan; — Incident Management Team (IMT) establishment; — establishing relationships and connections with internal and external organizations; — technical and other support (including organizational and operational support); — information security incident management awareness briefings and training. The “learn lessons” phase includes: — identifying areas for improvement; — identifying and making necessary improvements; — Incident Response Team (IRT) evaluation. The guidance given in this document is generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this document according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.
Technologies de l'information — Gestion des incidents de sécurité de l'information — Partie 2: Lignes directrices pour planifier et préparer une réponse aux incidents
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27035-2
Second edition
2023-02
Information technology —
Information security incident
management —
Part 2:
Guidelines to plan and prepare for
incident response
Technologies de l'information — Gestion des incidents de sécurité de
l'information —
Partie 2: Lignes directrices pour planifier et préparer une réponse aux
incidents
Reference number
© ISO/IEC 2023
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 2
3.1 Terms and definitions . 2
3.2 Abbreviated terms . 2
4 Information security incident management policy . 2
4.1 General . 2
4.2 Interested parties . 3
4.3 Information security incident management policy content . 3
5 Updating of information security policies. 5
5.1 General . 5
5.2 Linking of policy documents . 6
6 Creating information security incident management plan . 6
6.1 General . 6
6.2 Information security incident management plan built on consensus . 7
6.3 Interested parties . 7
6.4 Information security incident management plan content . 8
6.5 Incident classification scale . 11
6.6 Incident forms . 11
6.7 Documented processes and procedures .12
6.8 Trust and confidence .13
6.9 Handling confidential or sensitive information . 14
7 Establishing an incident management capability .14
7.1 General . 14
7.2 Incident management team establishment . 14
7.2.1 IMT structure . 14
7.2.2 IMT roles and responsibilities . 16
7.3 Incident response team establishment . 17
7.3.1 IRT structure . 17
7.3.2 IRT types and roles . 18
7.3.3 IRT staff competencies . . 19
8 Establishing internal and external relationships .20
8.1 General . 20
8.2 Relationship with other parts of the organization . 20
8.3 Relationship with external interested parties. 21
9 Defining technical and other support .22
9.1 General .22
9.2 Technical support . . 24
9.3 Other support . 24
10 Creating information security incident awareness and training .24
11 Testing the information security incident management plan .25
11.1 General . 25
11.2 Exercise . 26
11.2.1 Defining the goal of the exercise . 26
11.2.2 Defining the scope of an exercise . 27
11.2.3 Conducting an exercise . 27
11.3 Incident response capability monitoring . 27
11.3.1 Implementing an incident response capability monitoring programme . 27
iii
© ISO/IEC 2023 – All rights reserved
11.3.2 Metrics and governance of incident response capability monitoring .28
12 Learn lessons .28
12.1 General .28
12.2 Identifying areas for improvement .29
12.3 Identifying and making improvements to the information security incident
management plan .29
12.4 IMT evaluation . 30
12.5 Identifying and making improvements to information security control
implementation .30
12.6 Identifying and making improvements to information security risk assessment
and management review results . 31
12.7 Other improvements . 31
Annex A (informative) Considerations related to legal or regulatory requirements .32
Annex B (informative) Example forms for information security events, incidents and
vulnerability reports .35
Annex C (informative) Example approaches to the categorization, evaluation and
prioritization of information security events and incidents .47
Bibliography .52
iv
© ISO/IEC 2023 – All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of u
...
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
27035-2
ISO/IEC JTC 1/SC 27
Information technology —
Secretariat: DIN
Information security incident
Voting begins on:
2022-10-25 management —
Voting terminates on:
Part 2:
2022-12-20
Guidelines to plan and prepare for
incident response
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 27035-2:2022(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2022
ISO/IEC FDIS 27035-2:2022(E)
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
27035-2
ISO/IEC JTC 1/SC 27
Information technology —
Secretariat: DIN
Information security incident
Voting begins on:
management —
Voting terminates on:
Part 2:
Guidelines to plan and prepare for
incident response
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/IEC FDIS 270352:2022(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN
DARDS TO WHICH REFERENCE MAY BE MADE IN
ii
© ISO/IEC 2022 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2022
ISO/IEC FDIS 27035-2:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 2
3.1 Terms and definitions . 2
3.2 Abbreviated terms . 2
4 Information security incident management policy . 2
4.1 General . 2
4.2 Interested parties . 3
4.3 Information security incident management policy content . 3
5 Updating of information security policies. 5
5.1 General . 5
5.2 Linking of policy documents . 6
6 Creating information security incident management plan . 6
6.1 General . 6
6.2 Information security incident management plan built on consensus . 7
6.3 Interested parties . 7
6.4 Information security incident management plan content . 8
6.5 Incident classification scale . 11
6.6 Incident forms . 11
6.7 Documented processes and procedures .12
6.8 Trust and confidence .13
6.9 Handling confidential or sensitive information . 14
7 Establishing an incident management capability .14
7.1 General . 14
7.2 Incident management team establishment . 14
7.2.1 IMT structure . 14
7.2.2 IMT roles and responsibilities . 16
7.3 Incident response team establishment . 17
7.3.1 IRT structure . 17
7.3.2 IRT types and roles . 18
7.3.3 IRT staff competencies . . 19
8 Establishing internal and external relationships .20
8.1 General . 20
8.2 Relationship with other parts of the organization . 20
8.3 Relationship with external interested parties. 21
9 Defining technical and other support .22
9.1 General .22
9.2 Technical support . . 24
9.3 Other support . 24
10 Creating information security incident awareness and training .24
11 Testing the information security incident management plan .25
11.1 General . 25
11.2 Exercise . 26
11.2.1 Defining the goal of the exercise . 26
11.2.2 Defining the scope of an exercise . 27
11.2.3 Conducting an exercise . 27
11.3 Incident response capability monitoring . 27
11.3.1 Implementing an incident response capability monitoring programme . 27
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC FDIS 27035-2:2022(E)
11.3.2 Metrics and governance of incident response capability monitoring .28
12 Learn lessons .28
12.1 General .28
12.2 Identifying areas for improvement .29
12.3 Identifying and making improvements to the information security incident
management plan .29
12.4 IRT Evaluation.30
12.5 Identifying and making improvements to information security control
implementation .30
12.6 Identifying and making improvements to information security risk assessment
and management review results . 31
12.7 Other improvements . 31
Annex A (informative) Considerations related to legal or regulatory requirements .32
Annex B (informative) Example forms for information security events, incidents and
vulnerability reports .35
Annex C (informative) Example approaches to the categorization, evaluation and
prioritization of information security events and incidents .47
Bibliography .52
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC FDIS 27035-2:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective
...
© ISO/IEC 2022 – All rights reserved
Style Definition: Base_Text: Tab stops: 19.85 pt, Left +
ISO/IEC JTC 1/SC 27/WG 4 N
39.7 pt, Left + 59.55 pt, Left + 79.4 pt, Left + 99.25 pt,
Left + 119.05 pt, Left + 138.9 pt, Left + 158.75 pt, Left +
Date: 2022-06-1109-22
178.6 pt, Left + 198.45 pt, Left
Style Definition: List Continue 1
ISO/IEC DIS FDIS 27035--2:2022(E)
Style Definition: List Continue 5: Font: Indent: Hanging:
20.15 pt, Don't add space between paragraphs of the same
ISO/IEC JTC 1/SC 27/WG 4
style, Line spacing: At least 12 pt
Style Definition: List Number: Indent: Left: 0 pt, Hanging:
ISO/IEC JTC 1/SC 27/WG 4
20 pt, No bullets or numbering
Style Definition: List Number 1: Tab stops: Not at 20.15 pt
Secretariat: ILNAS
Style Definition: RefNorm
Style Definition: MTEquationSection: Not Hidden
Information technology — Information security incident management — Part 2:
Style Definition: TOC Heading
Guidelines to plan and prepare for incident response
Style Definition: Body Text_Center
Style Definition: Code: Tab stops: 16.15 pt, Left + 32.6
pt, Left + 48.75 pt, Left + 65.2 pt, Left + 81.35 pt, Left +
97.8 pt, Left + 113.95 pt, Left + 130.4 pt, Left + 146.55
pt, Left + 162.75 pt, Left
Style Definition: Dimension_100
Style Definition: Figure Graphic
Style Definition: Figure subtitle
Style Definition: List Continue 2 (-): Indent: Left: 19.5 pt,
Hanging: 40.5 pt, Space After: 12 pt
未处理的提及
Style Definition:
Formatted: Font color: Black
Formatted: Font color: Black
Formatted: Font color: Black
Formatted: Font: Not Bold
Formatted: Font color: Black
Formatted: Font: 12 pt, Font color: Black
© ISO/IEC 2022 – All rights reserved
ISO/IEC FDIS 27035-2:2022(E)
Formatted
All rights reserved. Unless otherwise specified, or required in the context of its implementation,
no part of this publication may be reproduced or utilized otherwise in any form or by any means,
electronic or mechanical, including photocopying, or posting on the internet or an intranet,
without prior written permission. Permission can be requested from either ISO at the address
below or ISO's member body in the country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
Formatted: Left, Space Before: 18 pt, Line spacing:
Exactly 12 pt
Formatted Table
Formatted: Font: 11 pt, Not Bold, English (United Kingdom)
Formatted: Space Before: 18 pt, Line spacing: Exactly 12
pt
© ISO/IEC 2022 – All rights reservediii iii© ISO 2022 – All rights reserved
ISO/IEC FDIS 27035-2:2022(E)
Formatted: Font: Not Bold
Contents Page
Foreword . 5
Introduction . 6
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 2
3.1 Terms and definitions . 2
3.2 Abbreviated terms . 2
4 Information security incident management policy . 2
4.1 General . 2
4.2 Interested parties . 3
4.3 Information security incident management policy content . 3
5 Updating of information security policies . 6
5.1 General . 6
5.2 Linking of policy documents . 6
6 Creating information security incident management plan . 6
6.1 General . 6
6.2 Information security incident management plan built on consensus . 7
6.3 Interested parties . 8
6.4 Information security incident management plan content . 8
6.5 Incident classification scale . 12
6.6 Incident forms . 12
6.7 Documented processes and procedures . 13
6.8 Trust and confidence . 14
6.9 Handling confidential or sensitive information . 15
7 Establishing an incident management capability . 15
7.1 General . 15
7.2 Incident management team (IMT) establishment . 16
7.2.1 IMT structure . 16
7.2.2 IMT roles and responsibilities . 16
7.3 Incident response team (IRT) establishment . 18
7.3.1 IRT structure . 18
7.3.2 IRT types and roles . 19
7.3.3 IRT staff competencies . 20
8 Establishing internal and external relationships . 21
8.1 General . 21
8.2 Relationship with other parts of the organization . 21
8.3 Relationship with external interested parties . 22
Formatted: Left, Space Before: 18 pt, Line spacing:
Exactly 12 pt
9 Defining technical and other support . 23
Formatted: Space Before: 18 pt, Line spacing: Exactly 12
9.1 General . 23
pt
9.2 Technical support . 25
Formatted Table
9.3 Other support . 26
Formatted: English (United Kingdom)
10 Creating information security incident awareness and training . 26
Formatted: Font: 11 pt, English (United Kingdom)
iv© ISO 2022 – All rights reserved © ISO/IEC 2022 – All rights reserved iv
ISO/IEC FDIS 27035-2:2022(E)
11 Testing the information security incident management plan . 27
11.1 General . 27
11.2 Exercise . 28
11.2.1 Defining the goal of the exercise . 28
11.2.2 Defining the scope of an exercise . 28
11.2.3 Conducting an exercise . 29
11.3 Incident response capability monitoring . 29
11.3.1 Implementing an incident response capability monitoring programme . 29
11.3.2 Metrics and governance of incident response capability monitoring . 30
12 Lessons learned . 30
12.1 General . 30
12.2 Identifying areas for improvement . 31
12.3 Identifying and making improvements to the information security incident
management plan . 31
12.4 IRT Evaluation . 32
12.5 Identifying and making improvements to information security control
implementation . 33
12.6 Identifying and making improvements to information security risk assessment and
management review results . 33
12.7 Other improvements . 33
Annex A (informative) Considerations related to legal or regulatory requirements . 35
A.1 Introduction . 35
A.2 Data protection and privacy of personal information . 35
A.3 Record keeping . 35
A.4 Controls to ensure fulfilment of commercial contractual obligations . 35
A.5 Legal issues related to policies and procedures . 36
A.6 Disclaimers are checked for legal validity . 36
A.7 Contracts with external support personnel . 36
A.8 Non-disclosure agreements . 36
A.9 Law enforcement requirements . 36
A.10 Liability aspects . 36
A.11 Specific regulatory requirements . 37
A.12 Prosecutions, or internal disciplinary procedures. 37
A.13 Legal aspects . 37
A.14 Acceptable use policy . 37
Annex B (informative) Example forms for information security events, incidents and
vulnerability reports . 38
B.1 Introduction . 38
B.2 Example items in records .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.