Incident Management (ISO 27001)

Incident management is the structured process that ensures information security incidents are detected, reported and handled effectively and consistently. ISO 27001 requires a formally described and implemented incident management process.

Back to Dictionary

What is an information security incident?

An information security incident is an unwanted or unexpected event that threatens the confidentiality, integrity or availability of information. It can be anything from a malware attack and a data breach to the unintentional sharing of a confidential file or the loss of a laptop.

ISO 27001 distinguishes between an information security event and an actual information security incident. An event is any potentially security-relevant occurrence, whilst an incident is a confirmed event with a negative consequence.

ISO 27001 requirements

ISO 27001:2022 Annex A controls 5.24–5.28 cover incident management:

A.5.24: Planning and preparation for information security incident management.
A.5.25: Assessment and decision on information security events.
A.5.26: Response to information security incidents.
A.5.27: Learning from information security incidents.
A.5.28: Collection of evidence.

The incident management process

An effective incident management process typically contains these phases:

Detection and reporting: Employees and systems detect and report potential incidents through established channels.
Assessment and classification: The incident is assessed and classified by severity, determining the appropriate response level.
Containment: Limit the scope of the damage and prevent further spread of the incident.
Eradication: Remove the root cause of the incident from affected systems.
Recovery: Restore normal operations and verify that systems are functioning correctly.
Post-incident analysis: Analyse the incident and implement preventive measures to avoid recurrence.

Reporting to authorities: Certain incidents require external reporting. A personal data breach must be reported to the supervisory authority within 72 hours (GDPR Article 33). NIS2 incidents have their own notification deadlines.

Learning and prevention

A critical, yet often neglected, part of incident management is systematic learning. The post-incident analysis should result in concrete measures that prevent recurrence. These lessons should feed into management reviews and updates to the risk assessment.

ISO 27001 control A.5.27 specifically requires that knowledge gained from information security incidents is used to strengthen the overall security posture. This creates a continuous improvement cycle that is fundamental to an effective ISMS.

Frequently Asked Questions about Incident Management (ISO 27001)

What is incident management in ISO 27001?

Incident management in ISO 27001 is the structured process for detecting, reporting, assessing and handling information security incidents to minimise damage and prevent recurrence. It is covered by Annex A controls 5.24 to 5.28.

What is the difference between a security event and a security incident?

A security event is any potentially security-relevant occurrence, such as an unusual login attempt. A security incident is a confirmed event that has a negative consequence for the confidentiality, integrity or availability of information.

What are the phases of incident management?

The typical phases are: detection and reporting, assessment and classification, containment, eradication, recovery and post-incident analysis. Each phase has specific objectives and activities.

Does ISO 27001 require reporting incidents to authorities?

ISO 27001 itself does not mandate reporting to authorities, but it requires that the organisation comply with applicable legal and contractual requirements. GDPR requires breach notification within 72 hours, and NIS2 has its own reporting deadlines.

How does incident management relate to business continuity?

Incident management and business continuity are closely linked. Incident management addresses the immediate response to security events, whilst business continuity planning ensures that critical operations can continue during and after a major disruption.