Purpose of Control 5.27
Control 5.27 establishes incident management as an organic, ongoing process where information learned from information security events and incidents is used to inform actions on subsequent incidents – whether the feedback is technical in nature, or relating to one or more internal processes, procedures or controls.
The overarching goal of Control 5.27 is to use any information obtained to minimise the likelihood of recurring incidents, and/or mitigate the internal and external consequences should they reoccur.
Attributes Table
5.27 is a corrective control that maintains risk by creating procedures which categorise and learn from previous incidents, and reduce the “likelihood or consequences” of future incidents.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Identify | #Information Security Event Management | #Defence |
| #Integrity | #Protect | |||
| #Availability |
Ownership of Control 5.27
Given that Control 5.27 concerns itself with the modification of existing processes, ownership should reside with the member of the senior management team whose remit includes oversight of all incident management-related activities.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
General Guidance on Control 5.27
Control 5.27 stipulates that organisations should create incident management procedures that categorise and monitor three main elements of information security incidents, across their entire operation:
- Type
- Volume
- Cost
Information security incidents should be thoroughly analysed following closure, to create procedures that:
- Improve the organisation’s overarching incident management framework, including projected scenarios and their associated procedural variations (see Control 5.24).
- Enhance the organisation’s information security risk assessment processes and procedures, including the addition of controls that improve resilience across all incident categories.
- Bolster user awareness by providing real world examples of past incidents, how best to respond to them, how to avoid them and what the consequences are when matters get out of hand.
Supporting Controls
- 5.24
Changes and Differences from ISO 27002:2013
27002:2022-5.27 replaces 27002:2013-16.1.6 (Learning from information security incidents), and adheres to much the same approach as its predecessor.
27002:2022-5.27 contains similar guidance on the need to record information pertaining to the type, volume and cost of information security incidents, but doesn’t single out improving so-called “high impact” incidents as the end goal of the control, as is the case in 27002:2013-16.1.6. Instead, 27002:2022-5.27 concerns itself with all levels of information security incidents.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
Our world-class information security management system software platform makes it super easy to understand what needs to be done and how to do it.
We take the pain out of managing your compliance requirements.
With ISMS.online, ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
