Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27035-2:2023 — Incident Management — Planning and Preparation
Systematic planning and preparation for information security incident response
Preparation is the cornerstone of effective incident management.
ISO/IEC 27035-2:2023 provides comprehensive guidance on planning and
preparing for information security incidents. The standard recognizes
that organizations which invest in thorough preparation — including
policy development, team structuring, tool selection, and training —
significantly reduce the impact and cost of incidents when they occur.
The distinction between planning (strategic) and preparation (tactical)
is crucial: planning defines what will be done, while preparation ensures
that the organization is operationally ready to execute the plan when
an incident strikes.
is crucial: planning defines what will be done, while preparation ensures
that the organization is operationally ready to execute the plan when
an incident strikes.
Establishing an Incident Management Policy
The standard mandates that organizations develop, document, and
communicate an incident management policy that reflects the organization’s
risk appetite, legal obligations, and business objectives. This policy
should define the scope of incident management activities, roles and
responsibilities, escalation criteria, and interfaces with other management
systems. It must be approved by top management and reviewed periodically
to remain current with the evolving threat landscape.
Key elements of the policy include: incident classification schemes
that categorize incidents by severity and impact; service level objectives
for detection, response, and recovery; data retention and chain of custody
requirements for forensic evidence; and communication protocols for internal
and external stakeholders. The standard emphasizes that the policy should
be living document, subject to revision based on lessons learned from
incidents and changes in the organizational or threat environment.
| Policy Element | Description | Review Frequency |
|---|---|---|
| Incident Classification | Tiers (e.g., low/medium/high/critical) based on impact | Annual or after major incidents |
| Roles & Responsibilities | Incident manager, technical lead, comms lead, legal | Quarterly or after team changes |
| Escalation Criteria | Triggers for involving senior management or external parties | Semi-annual |
| Forensic Requirements | Evidence handling, chain of custody, legal hold | Annual or regulatory change |
| Communication Protocols | Internal notification, customer disclosure, regulatory reporting | Semi-annual |
A policy that is written but not tested is merely a theoretical exercise.
Regular tabletop exercises and simulation drills are essential to validate
that the policy translates into effective action.
Regular tabletop exercises and simulation drills are essential to validate
that the policy translates into effective action.
Building and Equipping the Incident Response Team
ISO/IEC 27035-2 provides detailed guidance on establishing an incident
response team, whether as a dedicated Computer Security Incident Response
Team (CSIRT) or a virtual team drawn from existing staff. The standard
addresses team structure, staffing levels, skill requirements, and tooling.
Key roles include the incident manager (overall coordination), technical
analysts (forensics, malware analysis, log analysis), communications lead
(stakeholder notifications), and legal advisor (regulatory compliance,
privilege considerations).
For tooling, the standard recommends a layered approach: detection tools
(SIEM, EDR, NIDS), analysis tools (forensic workstations, packet capture,
malware sandbox), collaboration tools (secure incident tracking platforms,
encrypted communication channels), and recovery tools (backup systems,
configuration management, patch deployment). The standard stresses that
tools must be tested and maintained, not simply acquired and forgotten.
Organizations that conduct quarterly tabletop exercises and annual
full-scale simulation drills achieve 50% faster detection times and
significantly lower incident escalation rates, according to published
research on incident preparedness maturity.
full-scale simulation drills achieve 50% faster detection times and
significantly lower incident escalation rates, according to published
research on incident preparedness maturity.
Developing Incident Response Plans and Procedures
The standard calls for detailed, scenario-specific response plans that
cover common incident types: malware outbreaks, unauthorized access, data
breaches, denial of service, insider threats, and supply chain compromises.
Each plan should include step-by-step procedures for detection, containment,
eradication, recovery, and post-incident activities. The plans must be
documented, accessible (including offline access), and regularly updated.
An often-overlooked aspect that the standard highlights is the importance
of plan maintenance. Technical environments change, personnel
turn over, and threat actors evolve their tactics. ISO/IEC 27035-2 recommends
a formal review cycle — at minimum annually — and triggered reviews whenever
there are significant changes to the IT infrastructure, threat landscape,
or regulatory requirements. Version control and change management for
incident plans are essential to ensure that all team members are working
from the current, approved documentation.
Frequently Asked Questions
Q: What is the difference between a CSIRT and a SOC?
A: A Security Operations Center (SOC) focuses on continuous monitoring and
real-time detection of security events. A CSIRT focuses on managing incidents
that require structured response. Many organizations operate both, with the
SOC serving as the first line of detection and the CSIRT handling escalation
and complex incident coordination.
A: A Security Operations Center (SOC) focuses on continuous monitoring and
real-time detection of security events. A CSIRT focuses on managing incidents
that require structured response. Many organizations operate both, with the
SOC serving as the first line of detection and the CSIRT handling escalation
and complex incident coordination.
Q: How often should incident response plans be tested?
A: ISO/IEC 27035-2 recommends testing at multiple levels: tabletop exercises
every quarter, functional drills (testing specific procedures) every six
months, and full-scale simulations annually. Plans should also be reviewed
after any significant incident or infrastructure change.
A: ISO/IEC 27035-2 recommends testing at multiple levels: tabletop exercises
every quarter, functional drills (testing specific procedures) every six
months, and full-scale simulations annually. Plans should also be reviewed
after any significant incident or infrastructure change.
Q: What training is required for incident response team members?
A: Team members should receive initial training on incident management
procedures, tools, and communication protocols, followed by ongoing training
every 6-12 months. Specialized training (forensics, cloud incident response,
malware analysis) should be provided based on role-specific requirements.
The standard also recommends cross-training to avoid single points of
failure.
A: Team members should receive initial training on incident management
procedures, tools, and communication protocols, followed by ongoing training
every 6-12 months. Specialized training (forensics, cloud incident response,
malware analysis) should be provided based on role-specific requirements.
The standard also recommends cross-training to avoid single points of
failure.
Q: How does 27035-2 address cloud and managed service incidents?
A: The 2023 edition includes specific guidance on planning for incidents
involving cloud service providers and managed security service providers.
Organizations should establish clear roles and responsibilities with
providers, define escalation paths, and test coordination procedures
through joint exercises.
A: The 2023 edition includes specific guidance on planning for incidents
involving cloud service providers and managed security service providers.
Organizations should establish clear roles and responsibilities with
providers, define escalation paths, and test coordination procedures
through joint exercises.
