Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Security Incident Management according to ISO 27001

I am wondering if anyone out there has implemented or tried to implement security incident management aligned to either ISO 27001 or ISO 27035. I am wondering if you can share your experiences on the following: 1. challenges in adopting the Standard definitions and applying real-life examples 2. dilemma of: possibility of seeing almost all events or incidents as security incidents and what did you do to overcome it 3. did you standardise and refine your infosec incident management by spelling out what incidents will you be targeting and what you won't
You must sign in to rate content.
(1 ratings)

Comments

RE: Security Incident Management according to ISO 27001

Usually it is spelled out in Information Security Incident Management Policy. There you should specify what constitute a security incident and who will be responsible to contact. Users should supply incident information to IT help desk. 
-adnan-Observer at 5/25/2015 9:31:40 AM Quote
You must sign in to rate content.
(2 ratings)

RE: Security Incident Management according to ISO 27001

Trying to establish and implement one now. Looking at the content to be involved, I am not sure whether to have it as an Incident Management Policy mandating the need for an incident management procedure. The content of the policy and procedure is likely to be the same, Is it proper to just come up with the procedure(step by step management of incidence) without the policy(giving directive statements mandating)? The procedure will also include Monitoring (audit logs and helpdesk activities)
Helly263Energizer at 11/11/2015 6:07:28 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001[also NIST?]

@-adnan-, agree Info Sec Incident Mgmt Policy as you answer to @Terry421 @Helly263 I would refer you to the NIST sec 2.3 Policy, Plan, and Procedure Creation (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) There are different stakeholders involved in the governance and management of information security - so the policy, guidelines, prioritization etc is a combined effort from governance, risk management, and IT management - from there the plan is created with high accountability and involvement by IT and others since incident response with many players (internal and external), from procedural to regulatory. The procedures again are the last and comprehend from IT in monitoring and prevention, to detection, analysis, resolution - here again, many procedures depending on the area responsible for activities. Take a read at the NIST publication that may align with the ISO.
Yolanda BakerSocial at 11/12/2015 9:58:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001

I've found that ISO/IEC 27001 provides the basis for a good security incident management process.

A previous contributor to this thread mentioned the IT Help Desk and this is a notable aspect to bear in mind - the cross over between the regular service incident management process and the security incident management process.

It's important that during the course of a regular service incident, if it comes to light that a security incident is present, then the security incident management must be invoked.  Similarly, a security incident can result in loss of service etc. giving rise to a regular service incident so the normal service incident management process would also be invoked.   

Something to be careful of is where information is recorded.  A security incident by its nature may result in forensic investigations, invoking of HR processes and even legal implications and as such all security incidents should be treated as confidential and their details recorded separately and securely from service incidents.  Any information stored in a regular service incident ticket should be minimal.

ITIL, ISO/IEC 20000 and COBIT provide good bases for service incident management and your policies and procedures can call out the lines of demarcation and touch points between normal incident management and security incident management.
Phil GreenInfluential at 12/23/2015 4:16:15 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001

I've found that ISO/IEC 27001 provides the basis for a good security incident management process.

A previous contributor to this thread mentioned the IT Help Desk and this is a notable aspect to bear in mind - the cross over between the regular service incident management process and the security incident management process.

It's important that during the course of a regular service incident, if it comes to light that a security incident is present, then the security incident management must be invoked.  Similarly, a security incident can result in loss of service etc. giving rise to a regular service incident so the normal service incident management process would also be invoked.   

Something to be careful of is where information is recorded.  A security incident by its nature may result in forensic investigations, invoking of HR processes and even legal implications and as such all security incidents should be treated as confidential and their details recorded separately and securely from service incidents.  Any information stored in a regular service incident ticket should be minimal.

ITIL, ISO/IEC 20000 and COBIT provide good bases for service incident management and your policies and procedures can call out the lines of demarcation and touch points between normal incident management and security incident management.
Phil GreenInfluential at 12/23/2015 4:16:15 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001[also NIST?]

@-adnan-, agree Info Sec Incident Mgmt Policy as you answer to @Terry421 @Helly263 I would refer you to the NIST sec 2.3 Policy, Plan, and Procedure Creation (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) There are different stakeholders involved in the governance and management of information security - so the policy, guidelines, prioritization etc is a combined effort from governance, risk management, and IT management - from there the plan is created with high accountability and involvement by IT and others since incident response with many players (internal and external), from procedural to regulatory. The procedures again are the last and comprehend from IT in monitoring and prevention, to detection, analysis, resolution - here again, many procedures depending on the area responsible for activities. Take a read at the NIST publication that may align with the ISO.
Yolanda BakerSocial at 11/12/2015 9:58:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001

Trying to establish and implement one now. Looking at the content to be involved, I am not sure whether to have it as an Incident Management Policy mandating the need for an incident management procedure. The content of the policy and procedure is likely to be the same, Is it proper to just come up with the procedure(step by step management of incidence) without the policy(giving directive statements mandating)? The procedure will also include Monitoring (audit logs and helpdesk activities)
Helly263Energizer at 11/11/2015 6:07:28 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001

Usually it is spelled out in Information Security Incident Management Policy. There you should specify what constitute a security incident and who will be responsible to contact. Users should supply incident information to IT help desk. 
-adnan-Observer at 5/25/2015 9:31:40 AM Quote
You must sign in to rate content.
(2 ratings)

RE: Security Incident Management according to ISO 27001

Usually it is spelled out in Information Security Incident Management Policy. There you should specify what constitute a security incident and who will be responsible to contact. Users should supply incident information to IT help desk. 
-adnan-Observer at 5/25/2015 9:31:40 AM Quote
You must sign in to rate content.
(2 ratings)

RE: Security Incident Management according to ISO 27001

Trying to establish and implement one now. Looking at the content to be involved, I am not sure whether to have it as an Incident Management Policy mandating the need for an incident management procedure. The content of the policy and procedure is likely to be the same, Is it proper to just come up with the procedure(step by step management of incidence) without the policy(giving directive statements mandating)? The procedure will also include Monitoring (audit logs and helpdesk activities)
Helly263Energizer at 11/11/2015 6:07:28 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001[also NIST?]

@-adnan-, agree Info Sec Incident Mgmt Policy as you answer to @Terry421 @Helly263 I would refer you to the NIST sec 2.3 Policy, Plan, and Procedure Creation (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) There are different stakeholders involved in the governance and management of information security - so the policy, guidelines, prioritization etc is a combined effort from governance, risk management, and IT management - from there the plan is created with high accountability and involvement by IT and others since incident response with many players (internal and external), from procedural to regulatory. The procedures again are the last and comprehend from IT in monitoring and prevention, to detection, analysis, resolution - here again, many procedures depending on the area responsible for activities. Take a read at the NIST publication that may align with the ISO.
Yolanda BakerSocial at 11/12/2015 9:58:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: Security Incident Management according to ISO 27001

I've found that ISO/IEC 27001 provides the basis for a good security incident management process.

A previous contributor to this thread mentioned the IT Help Desk and this is a notable aspect to bear in mind - the cross over between the regular service incident management process and the security incident management process.

It's important that during the course of a regular service incident, if it comes to light that a security incident is present, then the security incident management must be invoked.  Similarly, a security incident can result in loss of service etc. giving rise to a regular service incident so the normal service incident management process would also be invoked.   

Something to be careful of is where information is recorded.  A security incident by its nature may result in forensic investigations, invoking of HR processes and even legal implications and as such all security incidents should be treated as confidential and their details recorded separately and securely from service incidents.  Any information stored in a regular service incident ticket should be minimal.

ITIL, ISO/IEC 20000 and COBIT provide good bases for service incident management and your policies and procedures can call out the lines of demarcation and touch points between normal incident management and security incident management.
Phil GreenInfluential at 12/23/2015 4:16:15 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.