- See ISO 27002:2022 Control 5.24 for more information.
- See ISO 27001:2013 Annex A 16.1.1 for more information.
What Is the Objective of ISO 27001:2022 Annex A 5.24?
The objective of ISO 27001:2022 Annex A 5.24 is to ensure a consistent and practical approach to managing information security incidents, events, and weaknesses.
Defining how management establishes responsibilities and procedures for addressing weaknesses, events, and security incidents is the definition of suitable control.
The term incident refers to a situation where a loss of confidentiality, integrity, or availability has occurred.
In order to plan an incident response, event response or weakness response, your leadership must define those procedures in advance of an incident occurring. Those procedures are easy to develop since the remainder of this Annex A control spells them out. You must demonstrate that these formal, documented procedures work with your auditor.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is The Purpose of Annex A 5.24?
An incident management approach to information security can be seen in Annex A Control 5.24.
This control describes how organisations should deal with incidents related to information security by creating efficient processes, planning adequately, and defining clearly defined roles and responsibilities.
It emphasises constructive communication and professional responses to high-pressure scenarios, especially when dealing with commercially sensitive personal information.
Its purpose is to minimise any commercial or operational damage caused by critical information security events by establishing a standard set of incident management procedures.
Ownership of ISO 27001:2022 Annex A 5.24
In a broader sense, an incident management strategy is typically used to manage service-related incidents. Control 5.24 in Annex A deals specifically with incidents and breaches related to information security.
Due to the sensitive nature of these events, CISOs or equivalents of an organisation should take ownership of Control 5.24.
Since CISOs are usually employed by large companies, ownership could also be held by the COO or Service Manager according to the nature of the organisation.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Guidance on Roles and Responsibilities
To achieve the most effective results in incident management, an organisation’s staff must work together to solve specific problems.
Annex A Control 5.24 specifies 5 main guidelines on how organisations can make their information management operations more efficient and cohesive.
It is critical for organisations to:
- Develop and document a homogeneous method for reporting security events. This should also include establishing a single point of contact for all such events.
- Implement Incident Management processes for handling information security-related incidents across various technical and administrative areas:
- Administration
- Documentation
- Detection
- Triage
- Prioritisation
- Analysis
- Communication
Create an incident response procedure so that incidents can be assessed and responded to by the organisation. A company should also consider the need to learn from incidents once they have been resolved. This prevents recurrences and provides staff with historical context for future scenarios.
Make sure that only trained and competent personnel are involved in incidents. In addition, make sure that they have full access to procedure documentation and are provided with regular refresher training that is directly related to information security incidents.
Identify staff members’ training needs in resolving information security-related incidents by establishing a process. Staff should be allowed to highlight professional development needs related to information security and vendor-specific certifications.
Guidance on Management of Incidents
An organisation should manage information security incidents to ensure that all people involved in resolving them understand three major areas:
- An incident’s resolution time.
- Possible repercussions.
- Incident severity.
All processes must work together harmoniously to maintain these three variables as top priorities:
- In Annex A Control 5.24, eight main activities must be addressed when resolving information security-related incidents.
- Event potential must be evaluated based on strict criteria that validate it as an approved security incident.
- Events and incidents relating to information security should be managed as follows, either manually or via process automation:
- Monitoring (see Annex A Controls 8.15 and 8.16).
- Detection (see Annex A Control 88.16).
- Classification (see Annex A Control 5.25).
- Analysis.
- Reporting (see Annex A Control 6.8).
A successful conclusion to an information security incident should include the following procedures:
- Depending on the incident type, response and escalation (see Annex A Control 5.26) are required.
- Case-by-case activation of crisis management or business continuity plans.
- Recovery from an incident in a manner that minimises any operational or financial damage.
- Communication with all internal and external parties regarding incident-related events.
- The ability to work collaboratively with internal and external personnel (see Annex A Control 5.5 and 5.6).
- All incident management activities should be logged, easily accessible, and transparent.
Compliance with external and internal guidelines and regulations regarding the handling of evidence (including data and conversations) (see Annex A Control 5.28).
A thorough investigation and root cause analysis will be conducted once the incident has been resolved.
A comprehensive description of any improvements needed to prevent the incident from recurring, including any changes to the incident management process.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Guidance on Reporting Guidelines
An Incident Management policy should focus on reporting activities to ensure information is disseminated accurately throughout the organisation. Reporting activities should concentrate on four main areas:
- An information security event requires specific actions to be taken.
- Using incident forms, personnel can record information clearly and concisely.
- Inform personnel of the outcome of information security incidents once they have been resolved through feedback processes.
- All relevant information about an incident is documented in incident reports.
Annex A Control 5.24 needs guidance on how to comply with external reporting requirements (e.g. regulatory guidelines and prevailing legislation). Despite this, organisations should coordinate a response that meets all legal, regulatory, and sector-specific requirements by sharing information about incidents with all relevant parties.
Accompanying Annex A Controls
- ISO 27001:2022 Annex A 5.25
- ISO 27001:2022 Annex A 5.26
- ISO 27001:2022 Annex A 5.5
- ISO 27001:2022 Annex A 5.6
- ISO 27001:2022 Annex A 6.8
- ISO 27001:2022 Annex A 8.15
- ISO 27001:2022 Annex A 8.16
What Are the Changes and Differences From ISO 27001:2013?
ISO 27001:2022 Annex A 5.24 replaces ISO 27001:2013 Annex A 16.1.1 (‘Management of Information Security Incidents and Improvements‘).
It is acknowledged in Annex A 5.24 that organisations must undergo thorough preparation to be resilient and compliant when faced with information security incidents.
In this regard, 27001:2022 A.5.24 provides a comprehensive breakdown of the steps an organisation must take across role delegation, incident management, and reporting functions, as well as references to other ISO controls that help organisations gain a more comprehensive view of incident management as a whole, not merely relating to information security incidents.
There are three distinct areas to consider when compartmentalising incident management operations in ISO 27001:2022 Annex A 5.24 as opposed to ISO 27001:2013 Annex A 16.1.1:
- Responsibilities and roles.
- Processes for managing incidents.
- The reporting process.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
Information Security Incident Management: How Does ISMS.online Help?
ISMS.online provides an integrated policy for addressing 16.1.1 – 16.1.7 throughout the life cycle and built-in tools that you can use to demonstrate this. Security incident management is a simple, effortless process with ISMS.online’s Security Incident Management Tool. A comprehensive incident management plan guides an incident through all key stages, ensuring the standard is being met in a pragmatic but compliant manner.
With ISMS.online, you can quickly adapt it as required. The prebuilt statistics and reporting insights help make management reviews much more straightforward and save time, as they tie together elegantly with related parts of the ISMS. Would you like to link a specific incident to an improvement, a risk, an audit, or an information asset and the policies you need to consider?
A headline of the Security Incident Track is shown below, which helps surface all the work being done. That’s easy and avoids duplication of work as well. To ensure you are focusing on the most important things first, you can filter them and manage resources, categories, and incident types.
ISMS.online Allows You To:
- Implement an ISMS that complies with ISO 27001 requirements.
- Demonstrate compliance with the standard’s requirements by performing tasks and submitting proof.
- Ensure compliance with the law by allocating tasks and tracking progress.
- Ensure compliance with the help of a dedicated team of advisors.
Get in touch with us today to schedule a demo.
