ISO/IEC 27035-1:2016

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27035-1
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2015-07-27 2015-10-27
Information technology — Security techniques —
Information security incident management —
Part 1:
Principles of incident management
Technologies de l’information — Techniques de sécurité — Gestion des incidents de sécurité de
l’information
ICS: 35.040
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27035-1:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2015

ISO/IEC DIS 27035-1:2015(E)
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
Contents Page
Foreword . iv
0 Introduction . v
0.1 About this Standard . v
0.2 Relationship to other standards . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 2
4.1 Basic concepts and principles . 2
4.2 Objectives of incident management . 3
4.3 Benefits of a structured approach . 5
4.4 Adaptability . 7
5 Phases . 7
5.1 Overview . 7
5.2 Plan and Prepare . 11
5.3 Detection and Reporting . 11
5.4 Assessment and Decision . 12
5.5 Responses . 13
5.6 Lessons Learnt . 14
Annex A (informative) Examples of information security incidents and their causes . 15
A.1 Attacks . 15
A.1.1 Denial of Service . 15
A.1.2 Unauthorized access . 16
A.1.3 Malware. 16
A.1.4 Abuse . 16
A.2 Information gathering . 16
Annex B (informative) Relationship to investigative standards . 18
Annex C (informative) Cross reference table of ISO/IEC 27001 vs ISO/IEC 27035 . 21
Bibliography . 24

© ISO/IEC 2015 – All rights reserved iii

ISO/IEC DIS 27035-1
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27035-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 27035 consists of the following parts, under the general title Information technology – Security
techniques — Information security incident management:
 Part 1: Principles of incident management
— Part 2: Guidelines to plan and prepare for incident response
— Part 3: Guidelines for incident response operations
iv © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
0 Introduction
0.1 About this Standard
Information security policies or controls alone will not guarantee total protection of information, information
systems, services or networks. After controls have been implemented, residual vulnerabilities are likely to
remain that can reduce the effectiveness of information security and facilitate the occurrence of information
security incidents. This can potentially have direct and indirect adverse impacts on an organization's business
operations. Furthermore, it is inevitable that new instances of previously unidentified threats will occur.
Insufficient preparation by an organization to deal with such incidents will make any response less effective,
and increase the degree of potential adverse business impact. Therefore, it is essential for any organization
desiring a strong information security program, to have a structured and planned approach to:
 detect, report and assess information security incidents;
 respond to information security incidents, including the activation of appropriate controls to prevent,
reduce, and recover from impacts;
 report information security vulnerabilities, so they can be assessed and dealt with appropriately;
 learn from information security incidents and vulnerabilities, institute preventive controls, and make
improvements to the overall approach to information security incident management.
For the purpose of achieving this planned approach, this International Standard provides guidance on aspects
of information security incident management in the following corresponding parts:
 ISO/IEC 27035-1, Principles of incident management, (this document) presents basic concepts and
phases of information security incident management, and how to improve incident management. This part
combines these concepts with principles in a structured approach to detecting, reporting, assessing, and
responding to incidents, and applying lessons learnt.
 ISO/IEC 27035-2, Guidelines to plan and prepare for incident response, describes how to plan and
prepare for incident response. This part covers the “Plan and Prepare” and “Lessons Learnt” phases of
the model presented in Part 1.
 ISO/IEC 27035-3, Guidelines for incident response operations, describes the activities associated with
the Detection and Reporting, Assessment and Decision, Response (including Post Incident Activity)
phases of the model presented in Part 1.
0.2 Relationship to other standards
This International Standard is intended to complement other standards and documents that give guidance on
the investigation of, and preparation to investigate, information security incidents. This standard is not a
comprehensive guide, but a reference for certain fundamental principles that are intended to ensure that tools,
techniques and methods can be selected appropriately and shown to be fit for purpose should the need arise.
While this International Standard encompasses the management of information security incidents, the
standard also covers some aspects of information security vulnerabilities. Vulnerability disclosure and
vulnerability handling by software vendors are discussed in ISO/IEC 29147 and ISO/IEC 30111 respectively.
This International Standard also intends to inform decision-makers that need to determine the reliability of
digital evidence presented to them. It is applicable to organizations needing to protect, analyse and present
potential digital evidence. It is relevant to policy-making bodies that create and evaluate procedures relating to
digital evidence, often as part of a larger body of evidence.
Further information about investigative standards is available in Annex B.
© ISO/IEC 2015 – All rights reserved v

DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27035-1

Information technology – Security techniques — Information
security incident management — Part 1: Principles of incident
management
1 Scope
This part of ISO/IEC 27035 is the foundation of this multipart International Standard. It presents basic
concepts and phases of information security incident management and combines these concepts with
principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and
applying lessons learnt.
The principles given in this International Standard are generic and intended to be applicable to all
organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this
International Standard according to their type, size and nature of business in relation to the information
security risk situation. This International Standard is also applicable to external organizations providing
information security incident management services.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management systems
— Overview and vocabulary
ISO/IEC 27005, Information technology — Security techniques — Information security risk management
ISO/IEC 27035-2, Information technology — Security techniques — Information security incident management
— Part 2: Guidelines to plan and prepare for incident response
ISO/IEC 27035-3, Information technology — Security techniques — Information security incident management
— Part 3: Guidelines for incident response operations
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1
information security investigation
application of examinations, analysis and interpretation to aid understanding of an information security
incident
© ISO/IEC 2015 – All rights reserved 1

ISO/IEC DIS 27035-1
[SOURCE: ISO/IEC 27042 , 3.10, modified — The words “an incident” was replaced by “an information
security incident”.]
3.2
Incident Response Team
IRT
team of appropriately skilled and trusted members of the organization that handles incidents during their
lifecycle
Note 1 to entry: CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team)
are commonly used terms for IRT.
3.3
information security event
occurrence indicating a possible breach of information security or failure of controls
3.4
information security incident
one or multiple related and identified information security events that can harm an organization's assets or
compromise its operations
3.5
information security incident management
exercise of a consistent and effective approach to the handling of information security incidents
3.6
incident handling
actions of detecting, reporting, assessing, responding to, dealing with, and learning from information security
incidents
3.7
incident response
action taken to protect and restore the normal operational conditions of an information system and the
information stored in it when an information security incident occurs
[SOURCE: ISO/IEC 27039, 2.24, Modified — The phrase "when an attack or intrusion occurs" was replaced
by "when an information security incident occurs"]
3.8
Point of Contact
PoC
defined organizational function or role serving as the coordinator or focal point of information concerning
incident management activities
4 Overview
4.1 Basic concepts and principles
An information security event is an occurrence indicating a possible breach of information security or failure of
controls. An information security incident is one or multiple related and identified information security events
that can harm an organization's assets or compromise its operations.
The occurrence of an information security event does not necessarily mean that an attack has been
successful or that there are any implications on confidentiality, integrity or availability, i.e., not all information
security events are classified as information security incidents.

To be published.
2 © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
Information security incidents can be deliberate (e.g. caused by malware or intentional breach of discipline) or
accidental (e.g. caused by inadvertent errors of human or unavoidable acts of nature), and can be caused by
technical (e.g. computer viruses) or non-technical (e.g. loss or theft of computers) means. Consequences can
include the unauthorized disclosure, modification, destruction, or unavailability of information, or the damage
or theft of organizational assets that contain information.
Annex A provides descriptions of selected example information security incidents and their causes for
informative purposes only. It is important to note that these examples are by no means exhaustive.
A threat exploits vulnerabilities (weaknesses) in information systems, services, or networks, causing the
occurrence of information security events and thus potentially causing incidents to information assets exposed
by the vulnerabilities. Figure 1 shows this relationship of objects in an information security incident.
Threat
Causes Exploits
Causes
Information
Vulnerability
security event
Exposes
Classified as
Impacts
Information Information
security incident asset
Compromises Supports
Operations
The shaded objects are pre-existing, affected by the unshaded
objects that result in an information security incident.

Figure 1 — The relationship of objects in an information security incident
Information sharing and coordination with external IRTs is an important consideration. Many incidents cross
organizational boundaries and cannot be easily resolved by a single IRT. Information sharing and coordination
relationships or partnerships with external IRTs can greatly enhance the ability to respond to and resolve
incidents. For further detail about information sharing, see ISO/IEC 27010.
4.2 Objectives of incident management
As a key part of an organization's overall information security strategy, the organization should put controls
and procedures in place to enable a structured well-planned approach to the management of information
security incidents. From an organization’s perspective, the prime objective is to avoid or contain the impact of
information security incidents in order to minimize the direct and indirect damage to its operations caused by
the incidents. Since damage to information assets can have a negative impact on operations, business and
operational perspectives should have a major influence in determining the objectives for information security
management.
More refined objectives of a structured well-planned approach to incident management should include the
following:
© ISO/IEC 2015 – All rights reserved 3

ISO/IEC DIS 27035-1
a) Information security events are detected and dealt with efficiently, in particular identifying whether they
are classified as information security incidents or not.
b) Identified information security incidents are assessed and responded to in the most appropriate and
efficient manner.
c) The adverse effects of information security incidents on the organization and its operations are minimized
by appropriate controls as part of the incident response.
d) A link with relevant elements from crisis management and business continuity management through an
escalation process is established.
e) Information security vulnerabilities are assessed and dealt with appropriately to prevent or reduce
incidents. This assessment can be done either by the IRT or some other team within the organization,
depending on duty distribution.
f) Lessons are learnt quickly from information security incidents, vulnerabilities and their management. This
feedback mechanism is intended to increase the chances of preventing future information security
incidents from occurring, improve the implementation and use of information security controls, and
improve the overall information security incident management plan.
To help achieve these objectives, organizations should ensure that information security incidents are
documented in a consistent manner, using appropriate standards for incident categorization, classification,
and sharing, so that metrics can be derived from aggregated data over a period of time. This provides
valuable information to aid the strategic decision making process when investing in information security
controls. The information security incident management system should be able to share information with
relevant external parties and IRTs.
Another objective associated with this International Standard is to provide guidance to organizations that aim
to meet the ISMS requirements specified in ISO/IEC 27001 which are supported by guidance from ISO/IEC
27002. ISO/IEC 27001 includes requirements related to information security incident management. A table
that cross-references information security incident management clauses in ISO/IEC 27001 and clauses in this
International Standard is provided in Annex C. ISMS relationships are also explained in Figure 2. This
International Standard can also support the requirements of other information security management systems
other than ISMS.
4 © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
See also Figure 1.
Impacts
Information
Information security
assets
incident
Compromises
Supports
Operations
Handled by
Protects Information security of
Information security Reduce
Controls Risk
incident
management
Shares
Meets
information with
Implements
requirements of
External stakeholders
ISMS
and IRTs
Improves
Figure 2 — Information Security Incident Management in relation to ISMS and applied controls
4.3 Benefits of a structured approach
An organization using a structured approach to information security incident management will accrue
significant benefits, which can be grouped under the following topics:
a) Improving overall information security
A structured process for detection, reporting and assessment of and decision-making related to
information security events and incidents will enable rapid identification and response. This will improve
overall security by helping to quickly identify and implement a consistent solution, and thus provide a
means of preventing future similar information security incidents. Furthermore, there will be benefits
gained by metrics, sharing and aggregation. The credibility of the organization will be improved by the
demonstration of its implementation of best practices with respect to information security incident
management.
b) Reducing adverse business impacts
A structured approach to information security incident management can assist in reducing the level of
potential adverse business impacts associated with information security incidents. These impacts can
include immediate financial loss and longer-term loss arising from damaged reputation and credibility. For
guidance on business impact analysis, see ISO/IEC 27005. For guidance on information and
communication technology readiness for business continuity see ISO/IEC 27031.
c) Strengthening the information security incident prevention focus
Using a structured approach to information security incident management helps to create a better focus
on incident prevention within an organization, including the development of methods to identify new
threats and vulnerabilities. Analysis of incident-related data enables the identification of patterns and
© ISO/IEC 2015 – All rights reserved 5

ISO/IEC DIS 27035-1
trends, thereby facilitating a more accurate focus on incident prevention and identification of appropriate
actions to prevent further occurrence.
d) Strengthening prioritization
A structured approach to information security incident management will provide a solid basis for
prioritization when conducting information security incident investigations, including the use of effective
categorization and classification scales. If there are no clear procedures, there is a risk that investigation
activities could be conducted in an overly reactive mode, responding to incidents as they occur and
overlooking what activities should be handled with a higher priority.
e) Strengthening evidence
If and when needed, clear incident investigation procedures will help to ensure that data collection and
handling are evidentially sound and legally admissible. These are important considerations if legal
prosecution or disciplinary action might follow. For more information on digital evidence and investigation,
see the investigative standards in Annex B.
f) Contributing to budget and resource justifications
A well-defined and structured approach to information security incident management will help justify and
simplify the allocation of budgets and resources for involved organizational units. Furthermore, benefit will
accrue for the information security incident management plan itself, with the ability to better plan for the
allocation of staff and resources.
One example of a way to control and optimize budget and resources is to add time tracking to information
security incident management tasks to facilitate quantitative assessment of the organization's handling of
information security incidents. It should be possible to provide information on how long it takes to resolve
information security incidents of different priorities and on different platforms. If there are bottlenecks in
the information security incident management process, these should also be identifiable.
g) Improving updates to information security risk assessment and management results
The use of a structured approach to information security incident management will facilitate:
 better collection of data for assisting in the identification and determination of the characteristics of
the various threat types and associated vulnerabilities, and
 provision of data on frequencies of occurrence of the identified threat types.
The data collected about adverse impacts on business operations from information security incidents will
be useful in business impact analysis. The data collected to identify the frequency of various threat types
will improve the quality of a threat assessment. Similarly, the data collected on vulnerabilities will improve
the quality of future vulnerability assessments. For guidance on information security risk assessment and
management, see ISO/IEC 27005.
h) Providing enhanced information security awareness and training program material
A structured approach to information security incident management will enable an organization to collect
experience and knowledge of how the organization handled incidents, which will be valuable material for
an information security awareness program. An awareness program that includes lessons learnt from real
experience will help reduce mistakes or confusion in future information security incidents.
i) Providing input to the information security policy and related documentation reviews
Data provided by an information security incident management plan could provide valuable input to
reviews of the effectiveness and subsequent improvement of incident management security policies (and
other related information security documents). This applies to topic-specific policies and other documents
applicable both for organization-wide and for individual systems, services and networks.
6 © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
4.4 Adaptability
The guidance provided by this International Standard (all parts) is extensive and if adopted in full, could
require significant resources to operate and manage. It is therefore important that an organization applying
this guidance should retain a sense of perspective and ensure that the resources applied to information
security incident management and the complexity of the mechanisms implemented, are proportional to the
following:
a) size, structure and business nature of an organization,
b) scope of any information security management system for incident handling,
c) potential loss through unprevented incidents, and
d) the goals of the business.
An organization using this International Standard should therefore adopt its guidance in a manner that is
relevant to the scale and characteristics of its business.
5 Phases
5.1 Overview
To achieve the objectives outlined in 4.2, information security incident management consists of the following
five distinct phases:
 Plan and Prepare (see 5.2),
 Detection and Reporting (see 5.3),
 Assessment and Decision (see 5.4),
 Responses (see 5.5), and
 Lessons Learnt (see 5.6).
A high-level view of these phases is shown in Figure 3.
Some activities can occur in multiple phases or throughout the incident handling process. Such activities
include:
 Documentation of event and incident evidence and key information, response actions taken, and follow-
up actions done as part of the incident handling process
 Coordination and communication between the involved parties
 Notification of significant incidents to management and other stakeholders
 Information sharing between stakeholders and internal and external collaborators such as vendors and
other IRTs
© ISO/IEC 2015 – All rights reserved 7

ISO/IEC DIS 27035-1
PLAN AND PREPARE
 information security incident management policy, and commitment of top management
 information security policies, including those related to risk management, updated at both
corporate level and system, service, and network levels
 information security incident management plan
 IRT establishment
 relationships and connections with internal and external organizations
 technical and other support (including organizational and operational support)
 information security incident management awareness briefings and training
 information security incident management plan testing
DETECTION AND REPORTING
 Collecting situational awareness information from local environment and external data
sources and news feeds
 Monitoring of constituency systems and networks
 Detection and alerting of anomalous, suspicious, or malicious activities
 Collection of information security event reports from constituents, vendors, other IRTs or
security organizations and automated sensors
 Reporting information security events
ASSESSMENT AND DECISION
 assessment of information security event and decision on if it is information security incident

RESPONSES
POST INCIDENT ACTIVITY
 determination of whether information security incident
 further investigation, if
is under control by investigation
required
 containment and eradication of information security incident
 recovery from information security incident
 resolution and closure of the information security incident
LESSONS LEARNT
 identification of lessons learnt
 identification of and making improvements to information security
 identification of and making improvements to information security risk assessment and
management review results
 identification of and making improvements to information security incident management plan
 evaluation of the performance and effectiveness of the IRT

Figure 3 — Information security incident management phases
As noted in the Introduction, this standard is in three parts:
 ISO/IEC 27035-1, Principles of incident management, (this document) covers all five phases.
 ISO/IEC 27035-2, Guidelines to plan and prepare for incident response, covers:
8 © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
 Plan and Prepare
 Lessons Learnt
 ISO/IEC 27035-3,Guidelines for incident response operations, covers:
 Detection and Reporting
 Assessment and Decision
 Responses (including Post Incident Activity)
Figure 4 shows the flow of information security events and incidents through information security incident
management phases and related activities.
© ISO/IEC 2015 – All rights reserved 9

Time
ISO/IEC DIS 27035-1
User / Source Point of Contact Internal IRT Crisis handling
(PoC) (on call) team,
including
PLAN AND PREPARE
external IRT
Information
security
event
DETECTION AND REPORTING
Detection Detection Monitoring and
Detection
Reporting
Abnormality or
anomaly alarm
PoC No
Information
exists?
security
incident report
Yes
ASSESSMENT AND DECISION
Information
collection
Information
collection
Assessment
Assessment
Possible Yes
incident?
Confirmed
incident?
No No
Yes
RESPONSES
Investigation
Response
No
Incident under
to crisis
control?
situation
Yes
Containment and
eradication of
incidents
Recovery
from incident
Resolution and closure of incident
POST INCIDENT ACTIVITY
False
Further investigation, if required
Alarm
reduction
LESSONS LEARNT
Review
Improvement
Figure 4 — Information security event and incident flow diagram
10 © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
5.2 Plan and Prepare
Effective information security incident management requires appropriate planning and preparation. For an
efficient and effective information security incident management plan to be put into operation, an organization
should complete a number of preparatory activities:
a) Formulate and produce an information security incident management policy, and gain top management
commitment to that policy.
b) Update information security policies, including those related to risk management, at a corporate level and
specific system, service and network levels.
c) Define and document a detailed information security incident management plan.
d) Establish the IRT, with an appropriate training program designed, developed, and provided to its
personnel.
e) Establish and preserve appropriate relationships and connections with internal and external organizations
that are directly involved in information security event, incident and vulnerability management.
f) Establish, implement, and operate technical, organizational, and operational mechanisms to support the
information security incident management plan and therefore the work of the IRT., Develop and deploy
necessary information systems to support the IRT, including an information security database. These
mechanisms and systems are intended to prevent information security incident occurrences or reduce the
likelihood of occurrences of information security incidents.
g) Design and develop an awareness and training program for information security event, incident and
vulnerability management.
h) Test the use of the information security incident management plan, its processes and procedures.
With this phase completed, organizations should be fully prepared to properly manage information security
incidents. Part 2 of this International Standard describes each of the activities listed above, including the
contents of policy and planning documents.
5.3 Detection and Reporting
The second phase of information security incident management involves the detection of, collection of
information associated with, and reporting on occurrences of information security events and the existence of
information security vulnerabilities by manual or automatic means. In this phase, events and vulnerabilities
might not yet be classified as information security incidents.
The reporting of security events in line with the organization’s reporting policies enables later analysis if
required.
For the Detection and Reporting phase, an organization should undertake the following key activities:
a) Monitor and log system and network activity of constituency or parent organization as appropriate.
b) Detect and report the occurrence of an information security event or the existence of an information
security vulnerability, whether manually by personnel or automatically.
c) Collect information on an information security event or vulnerability.
d) Collect situational awareness information from internal and external data sources including local system
and network traffic and activity logs, news feeds concerning ongoing political, social, or economic
activities that might impact incident activity, external feeds on incident trends, new attack vectors, current
attack indicators, and new mitigation strategies and technologies.
© ISO/IEC 2015 – All rights reserved 11

ISO/IEC DIS 27035-1
e) Ensure that all activities, results and related decisions are properly logged for later analysis.
f) Ensure that digital evidence is gathered and stored securely, and that its secure preservation is
continually monitored, in case it is required for legal prosecution or internal disciplinary action. For more
detailed information on the identification, collection, acquisition and preservation of digital evidence, see
the investigative standards in Annex B.
g) Ensure that the change control regime is followed to enable information security event and vulnerability
tracking and report updates, and to keep the information security database up-to-date.
h) Escalate, on an as-needed basis throughout the phase, for further review or decisions.
All information collected pertaining to an information security event or vulnerability should be stored in the
information security database managed by the IRT. The information reported during each activity should be as
complete as possible at the time. This will support assessments, decisions, and actions to be taken.
Part 3 of this International Standard describes in detail each of the activities listed above.
5.4 Assessment and Decision
The third phase of information security incident management involves the assessment of information
associated with occurrences of information security events and the decision on whether to classify events as
information security incidents.
Once an information security event has been detected and reported, the subsequent activities should be
performed:
a) Distribute the responsibility for information security incident management activities through an appropriate
hierarchy of personnel with assessment, decision making, and actions, involving both security and non-
security personnel.
b) Provide formal procedures for each notified person to follow, including reviewing and amending the
reports, assessing damage, and notifying relevant personnel. Individual actions will depend on the type
and severity of the incident.
c) Use guidelines for thorough documentation of an information security event and the subsequent actions
for an information security incident if the information security event becomes classified as an information
security incident.
For the Assessment and Decision phase, an organization should perform the following key activities:
d) Collect information that can include testing, measuring, and other data gathering about the detection of an
information security event. The type and amount of information collected will depend on the information
security event that has occurred.
e) Conduct an assessment by the incident handler to determine whether the event is a possible or confirmed
information security incident or a false alarm. A false alarm (i.e. a false positive) is an indication of a
reported event that is found not to be real or of any consequence. If desired, the IRT can conduct a
quality review to ensure that the incident handler correctly declared an incident.
f) Ensure that all parties involved, particularly the IRT, properly log all activities, results, and related
decisions for later analysis.
g) Ensure that the change control regime is maintained to cover information security incident tracking and
incident report updates, and to keep the information security database up-to-date.
All information collected pertaining to an information security event, incident, or vulnerability should be stored
in the information security database managed by the IRT. The information reported during each activity should
be as complete as possible at the time. This will support assessments, decisions, and actions to be taken.
12 © ISO/IEC 2015 – All rights reserved

ISO/IEC DIS 27035-1
Part 3 of this International Standard describes in detail each of the activities listed above.
5.5 Responses
The fourth phase of information security incident management involves responding to information security
incidents in accordance with the actions determined in the Assessment and Decision phase. Depending on
the decisions, the responses could be made immediately, in real-time, or in near real-time, and some
responses could involve information security investigation.
Once an information security incident has been confirmed and the responses determined, the subsequent
activities should be undertaken:
a) Distribute the responsibility for information security incident management activities through an appropriate
hierarchy of personnel with decision making and actions, involving both security and non-security
personnel as necessary.
b) Provide formal procedures for each involved person to follow, including reviewing and amending the
reports, re-assessing damage, and notifying the relevant personnel. Individual actions will depend on the
type and severity of the incident.
c) Use guidelines for thorough documentation of an information security incident and subsequent actions.
For the Responses phase, an organization should perform the following key activities:
d) Investigate incidents as required and relative to the information security incident classification scale rating.
The scale should be changed as necessary.
e) Review by the IRT to determine whether the information security incident is under control, and if so,
perform the required response. If the incident is not under control or it is going to have a severe impact on
the organization’s operations, perform crisis response activities through escalation to the crisis handling
function.
f) Assign internal resources and identify external resources in order to respond to an incident.
g) Escalate, as needed throughout the phase, for further assessments or decisions.
h) Ensure that all parties involved, particularly the IRT, properly log all activities for later analysis.
i) Ensure that digital evidence is gathered and stored provably securely, and that its secure preservation is
continually monitored, in case it is required for legal prosecution or internal disciplinary action. For more
detailed information on the identification, collection, acquisition and preservation of digital evidence, see
the investigative standards in Annex B.
j) Ensure that the change control regime is maintained to cover information security incident tracking and
incident report updates, and to keep the information security database up-to-date.
k) Communicate the existence of the information security incident and share any relevant details (e.g.,
threat, attack, and vulnerability information) with other internal and external individuals or organizations. It
can be particularly important to notify asset owners (determined during the impact analysis) and internal
and external organizations (e.g., other incident response teams, law enforcement agencies, Internet
service providers, and information sharing organizations) that could assist with the management and
resolution of the incident. Sharing information could also benefit other organizations since the same
threats and attacks often affect multiple organizations. For further detail about information sharing, see
ISO/IEC 27010.
l) Af
...