ISO 27002:2022, Control 5.27 – Learning From Information Security Incidents

ISO 27002:2022 Revised Controls

Book a demo

team,job,succes.,photo,young,business,managers,working,with,new

Purpose of Control 5.27

Control 5.27 establishes incident management as an organic, ongoing process where information learned from information security events and incidents is used to inform actions on subsequent incidents – whether the feedback is technical in nature, or relating to one or more internal processes, procedures or controls.

The overarching goal of Control 5.27 is to use any information obtained to minimise the likelihood of recurring incidents, and/or mitigate the internal and external consequences should they reoccur.

Attributes Table

5.27 is a corrective control that maintains risk by creating procedures which categorise and learn from previous incidents, and reduce the “likelihood or consequences” of future incidents.

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventive#Confidentiality
#Integrity
#Availability
#Identify
#Protect
#Information Security Event Management#Defence

Ownership of Control 5.27

Given that Control 5.27 concerns itself with the modification of existing processes, ownership should reside with the member of the senior management team whose remit includes oversight of all incident management-related activities.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

General Guidance on Control 5.27

Control 5.27 stipulates that organisations should create incident management procedures that categorise and monitor three main elements of information security incidents, across their entire operation:

  • type
  • volume
  • cost

Information security incidents should be thoroughly analysed following closure, to create procedures that:

  1. Improve the organisation’s overarching incident management framework, including projected scenarios and their associated procedural variations (see Control 5.24).
  2. Enhance the organisation’s information security risk assessment processes and procedures, including the addition of controls that improve resilience across all incident categories.
  3. Bolster user awareness by providing real world examples of past incidents, how best to respond to them, how to avoid them and what the consequences are when matters get out of hand.

Supporting controls:

  • 5.24

Changes and Differences from ISO 27002:2013

27002:2022-5.27 replaces 27002:2013-16.1.6 (Learning from information security incidents), and adheres to much the same approach as its predecessor.

27002:2022-5.27 contains similar guidance on the need to record information pertaining to the type, volume and cost of information security incidents, but doesn’t single out improving so-called “high impact” incidents as the end goal of the control, as is the case in 27002:2013-16.1.6. Instead, 27002:2022-5.27 concerns itself with all levels of information security incidents.

How ISMS.online Helps

Our world-class information security management system software platform makes it super easy to understand what needs to be done and how to do it.

We take the pain out of managing your compliance requirements.

With ISMS.online, ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.

Get in touch today to book a demo.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

New Controls

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

Physical Controls

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more