With the growing reliance on information technologies and the involvement of humans (both intentionally malicious and unintentionally negligent), it is certain that we will encounter an increasing number of information security incidents in the future, which is particularly significant for organizations seeking ISO 27001 certification. The challenge we all face is twofold: reducing the likelihood of incidents occurring while also preparing for their inevitability and minimizing the negative impact when they do happen. The most effective approach to address the latter aspect, especially for organizations pursuing ISO 27001 certification, is by implementing a customized Incident Management Plan (IMP). This not only aligns with common sense but also fulfills a legal requirement, as the absence of an IMP indicates a lack of organizational corporate social responsibility. In this blog, we will explore key considerations for developing and implementing an IMP.
Who is responsible of managing incidents?
Let's begin with a definition from ISO/IEC 27000:2013, which provides a reliable reference. According to the standard, an information security incident is described as "a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security."
Now, where should you begin when developing an Incident Management Plan (IMP)? While it's impossible to anticipate every possible scenario, establishing a framework that outlines the responsibilities of individuals within your organization in the event of a disruption is a solid starting point. This structure helps clarify who is accountable for specific actions and tasks during an incident.
Need to define high risk
During day-to-day operations, it is unlikely that your information security Incident Management Plan (IMP) will be invoked frequently, unless you encounter exceptional circumstances or face significant vulnerabilities. Therefore, the focus of your incident planning should primarily be on addressing "high-risk" incidents that have the potential to jeopardize business operations. However, it's crucial to note that determining what constitutes "high-risk" is subjective and may vary from one organization to another.
To establish a clear understanding of your organization's risk appetite, it is essential to gather the relevant decision-makers and reach a consensus. The escalation mechanism should be an integral part of your incident management planning process. Many incidents are discovered incidentally, where a staff member reports an apparently trivial event or a changing set of circumstances.
However, during the evaluation process, the reported event may be escalated to a more serious category based on its impact and severity. The identification, escalation, and prioritization phases are all critical components of an effective IMP.
IMP Frameworks
When constructing an incident management plan, it is advisable to consider adopting a framework such as:
ISO/IEC 27001
Payment Card Industry Data Security Standard (PCI DSS)
National Institute of Standards and Technology (NIST)
Control Objectives for Information and Related Technologies (COBIT)
U.S. Health Insurance Portability and Accountability Act (HIPAA)
The choice of framework should be based on its relevance and appropriateness to your organization. By utilizing the selected framework, your goal is to develop an incident management plan that:
Is sufficient and suitable for your organization's needs
Clearly defines roles and responsibilities
Outlines escalation procedures
Addresses incident containment measures
Includes a resolution strategy
Emphasizes the importance of learning from incidents
By incorporating these elements, your incident management plan will be well-rounded and enable your organization to effectively respond to and learn from incidents.
Don’t forget the process components
Incident management planning entails different levels of detail depending on the chosen framework. The criteria for these plans are typically adaptable and should align with your organization's requirements. As you establish your incident management plan, it is important to include process components that fulfill the aforementioned criteria.
By following this approach, you can create a customized incident management plan that outlines processes for the "detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents" (according to ISO/IEC 27000). Annex A provides a generic framework for defining an incident management process.
In summary, by incorporating the relevant criteria, process components, and utilizing appropriate frameworks, you can develop a tailored incident management plan that suits your organization's needs. This plan will guide your organization in effectively managing and learning from information security incidents.
Practice makes perfect!
To ensure the effectiveness of your incident management plan, it is crucial to conduct regular testing and not solely rely on the occurrence of actual high-risk incidents for evaluation, especially when seeking ISO 27001 certification. Waiting for a real incident may lead to delays and unpreparedness. Instead, a proactive approach is needed, and engaging an experienced ISO 27001 consultant can be valuable in this process.
Developing and simulating scenarios, preferably based on risk assessment and guidance from an ISO 27001 consultant, allows you to scrutinize and challenge your plan. By gathering feedback from participants and stakeholders, including the consultant's expertise, you can identify areas for improvement and make necessary adjustments. This iterative process enhances the readiness of your plan, ensuring that it aligns with the evolving threat landscape, industry best practices, and the specific needs of your organization.
Adopting this approach, with the guidance of an ISO 27001 consultant, enables your organization to be in a better state of preparedness, equipping you with the necessary skills and experience to effectively handle real incidents. As the adage goes, "Train hard, fight easy." Regular testing and scenario-based exercises, along with the consultant's expertise, contribute to building resilience and a proactive incident response capability.