Purpose of Control 5.25
Control 5.25 deals with an organisation’s ability to assess information security events and further categorise them as information security incidents, to be prioritised and dealt with as such by all relevant processes and personnel.
Attributes Table of Control 5.25
5.25 is a detective control that maintains risk by ensuring that information security events are correctly categorised and prioritised as information security incidents, based on event-specific variables.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Detective | #Confidentiality | #Detect | #Information Security Event Management | #Defence |
| #Integrity | #Respond | |||
| #Availability |
Ownership of Control 5.25
Incident Management, in broader terms, is usually applicable to service-related incidents. Given that Control 5.25 deals specifically with information security-related incidents and breaches, taking into account the highly sensitive nature of these events, ownership of Control 5.25 should ideally reside with a CISO, or organisational equivalent.
Given that CISOs are usually only seen within larger companies and enterprise-level organisations, ownership could also reside with the COO, or Service Manager, depending on the nature of the organisation.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
General Guidance on Control 5.25
Instead of listing specific guidance points, Control 5.25 discusses a qualitative approach to information security incident management that provides organisations with a broad operational scope:
- Organisations should collaborate to agree upon a clear categorisation system that escalates information security events to information security incidents, as distinct from one another.
- The categorisation process should include a point of contact who assesses information security events using the categorisation scheme.
- Technical personnel with the relevant skills and tools to analyse and resolve information security incidents should be involved in the assessment process.
- All parties should collaborate to make a decision on whether or not an event warrants escalation to an incident.
- Conversations, assessments and categorisations should be recorded to inform an organisation’s decision on future information security events and incidents.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27002:2013
27002:2022-5.25 replaces 27002:2013-16.1.4 (Assessment of and decision on information security events).
27002:2022-5.25 adheres to the same underlying operational principles as 27002:2013-16.1.4, with one small deviations.
27002:2013-16.1.4 refers to an information security incident response team (ISIRT) as being involved in the categorisation and escalation process. 27002:2022-5.25 makes reference to any staff members who are involved in analysing and resolving information security incidents.
In addition, 27002:2022-5.25 draws attention to the adequate categorisation of events, prior to escalation.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
With ISMS.online, ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
