Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27035-1:2023 — Incident Management — Principles
Foundational guidelines for establishing an information security incident management capability
Information security incidents are inevitable in modern organizations.
The sophistication of cyber threats, the expansion of attack surfaces, and
the increasing reliance on digital infrastructure demand a structured,
principle-based approach to incident management. ISO/IEC 27035-1:2023
establishes the foundational principles for information security incident
management, providing organizations with a framework to detect, report,
assess, respond to, and learn from security incidents.
This standard was updated in 2023 to reflect the evolving threat landscape,
including ransomware, supply chain attacks, and cloud-based incidents.
Organizations adopting these principles gain a strategic advantage in
resilience and regulatory compliance.
including ransomware, supply chain attacks, and cloud-based incidents.
Organizations adopting these principles gain a strategic advantage in
resilience and regulatory compliance.
Core Principles of Incident Management
The standard defines several fundamental principles that underpin an
effective incident management capability. First, senior management
commitment is essential — incident management cannot succeed without
visible leadership support, adequate resource allocation, and clear
assignment of responsibility. Second, the standard emphasizes a
risk-based approach: not all incidents warrant the same
level of response, and organizations must prioritize based on business
impact, legal obligations, and stakeholder expectations.
Third, ISO/IEC 27035-1 stresses the importance of continuous
improvement. Every incident, regardless of severity, offers
learning opportunities. Post-incident reviews, trend analysis, and
feedback loops into the information security management system (ISMS)
are critical components. Fourth, the standard advocates for
integration with broader management processes, including
business continuity management, risk management, and IT service management.
Incident management should not operate in a silo.
| Principle | Description | Implementation Example |
|---|---|---|
| Management Commitment | Leadership sponsorship and resource provision | Executive steering committee for incident governance |
| Risk-Based Approach | Prioritize incidents by business impact | Triage matrix mapping incident types to response tiers |
| Continuous Improvement | Learn from incidents to prevent recurrence | Quarterly incident trend reports and process updates |
| Management Integration | Align with ISMS, BCMS, and ITSM processes | Shared incident taxonomy across security and IT teams |
Organizations that embed these principles into their operational fabric
report 40-60% faster mean time to respond (MTTR) and significantly lower
incident-related costs, according to industry benchmarks.
report 40-60% faster mean time to respond (MTTR) and significantly lower
incident-related costs, according to industry benchmarks.
The Incident Management Lifecycle
ISO/IEC 27035-1 introduces a five-phase incident management lifecycle:
Plan and Prepare, Detect and Report, Assess and Decide, Respond, and
Learn. This lifecycle is iterative, with the “Learn” phase feeding
back into “Plan and Prepare” to drive continuous improvement. The standard
stresses that preparation is the most critical phase — organizations that
invest in planning, training, and tools before an incident occurs are far
more likely to contain damage effectively.
The detection and reporting phase includes establishing clear channels
for users, automated security tools, and external threat intelligence feeds
to report suspicious activity. Assessment and decision-making require
structured triage processes that evaluate technical impact, business
criticality, and legal or regulatory implications. The response phase
covers containment, eradication, and recovery actions, while the learning
phase ensures that knowledge gained from incidents is captured, analyzed,
and applied to improve future readiness.
A common pitfall is treating the lifecycle as a linear sequence. In reality,
incident management is highly dynamic — containment may begin before full
assessment is complete, and lessons learned may trigger immediate plan
updates while the incident is still ongoing.
incident management is highly dynamic — containment may begin before full
assessment is complete, and lessons learned may trigger immediate plan
updates while the incident is still ongoing.
Integrating Incident Management into Organizational Governance
The 2023 edition places stronger emphasis on governance integration
than its predecessor. Incident management must align with organizational
strategy, legal and regulatory obligations, and stakeholder expectations.
The standard recommends establishing an Incident Management Policy
that defines the scope, objectives, and responsibilities for the entire
program. This policy should be approved by top management and communicated
across the organization.
Furthermore, the standard introduces guidance on metrics and
performance measurement. Key performance indicators such as mean
time to detect (MTTD), mean time to respond (MTTR), and incident closure
rates provide visibility into the effectiveness of the incident management
program. Regular reporting to management and stakeholders ensures continued
support and resource allocation. The integration of incident management
metrics into broader security governance dashboards is strongly recommended
for organizations seeking to demonstrate due diligence and regulatory
compliance.
Frequently Asked Questions
Q: How does ISO/IEC 27035-1 relate to ISO/IEC 27001?
A: ISO/IEC 27035-1 provides specific incident management guidance that
supports the Annex A control A.16 (now A.5.24-A.5.28 in the 2022 update)
of ISO/IEC 27001. Organizations certified to ISO/IEC 27001 can use
27035-1 as a best-practice implementation framework for the incident
management-related controls.
A: ISO/IEC 27035-1 provides specific incident management guidance that
supports the Annex A control A.16 (now A.5.24-A.5.28 in the 2022 update)
of ISO/IEC 27001. Organizations certified to ISO/IEC 27001 can use
27035-1 as a best-practice implementation framework for the incident
management-related controls.
Q: What size of organization is this standard suitable for?
A: The principles in ISO/IEC 27035-1 are scalable. Small and medium-sized
organizations can adopt a simplified version of the lifecycle, while large
enterprises can build comprehensive programs with dedicated CSIRTs,
sophisticated tooling, and multi-tier response structures.
A: The principles in ISO/IEC 27035-1 are scalable. Small and medium-sized
organizations can adopt a simplified version of the lifecycle, while large
enterprises can build comprehensive programs with dedicated CSIRTs,
sophisticated tooling, and multi-tier response structures.
Q: Is ISO/IEC 27035-1 certification possible?
A: Currently, ISO/IEC 27035-1 is a guideline standard, not a certifiable
specification. Organizations may, however, use it as a benchmark for
internal audits or to demonstrate alignment with recognized best practices
during customer or regulatory assessments.
A: Currently, ISO/IEC 27035-1 is a guideline standard, not a certifiable
specification. Organizations may, however, use it as a benchmark for
internal audits or to demonstrate alignment with recognized best practices
during customer or regulatory assessments.
Q: What are the key changes in the 2023 edition?
A: The 2023 edition includes expanded guidance on supply chain incident
coordination, cloud and managed service provider incidents, ransomware
response principles, and stronger emphasis on governance integration and
performance measurement compared to the earlier versions.
A: The 2023 edition includes expanded guidance on supply chain incident
coordination, cloud and managed service provider incidents, ransomware
response principles, and stronger emphasis on governance integration and
performance measurement compared to the earlier versions.
