Information security incidents are inescapable for most organizations. Anticipating this eventuality, organizations can plan for an effective response to information security incidents. Several tools exist to support this effort, including the recommendations of the International Standards Organization (ISO) for information security incident management (ISO/IEC 27035). The ISO recommendations organize activity into five phases: planning and preparation; detection and reporting; assessment and decision; responding; and learning.
Tøndel et al. conducted a systematic review of the published literature on real world experiences of information security incident management. They searched for all relevant articles and selected the highest quality studies; based on their criteria they identified 15 studies published after 2005. Each of the articles recounts the circumstances of an information security incident and subsequent incident management in a different organization. The sample represents a variety of types of organizations and also a range of research methods. The information security incident management experiences presented as good practice from these studies are compared with the recommendations from the ISO, to suggest where actual practice might align with, or diverge from, the ideal case.
A summary of the learning related to each phase of the ISO framework is presented (e.g. what is learned about the plan and prepare stage in particular) along with a synthesis of the strengths and challenges in information security incident management as a whole.
| ISO Phase | Examples of identified practices: | Examples of practices more difficult to implement: |
| Planning and Preparation |
Defining security incident and process for response. |
Promoting awareness about information security. |
| Detection and Reporting |
Providing automatic tools and manual reporting for detection. |
Documenting all incidents. |
| Assessment and Decision |
Confirming and classifying all incidents. |
Exercising caution in outsourcing situations. |
| Responding |
Automating and prioritizing responses. |
none identified. |
| Learning |
none identified. |
Evaluating each incident and disseminating information |
Instructive examples of some key principles are identified, such as simple plans for incident management, automated processing for common and low-risk incidents, and tracking of and notification about incidents. For some components of incident management that remain unclear or appear to be untested, additional tools or guidelines could support tasks such as the classification of incidents, securing senior management commitment, involving all employees across an organization, and clarifying responsibility in outsourcing.
The recommendations of the ISO regarding information security incident management are largely feasible. Some challenges to implementation of information security incident management can be anticipated and even moderated or resolved in the design and roll out of incident management plans. Further, some examples are highlighted that might inspire action or inform specific practical action in planning and response. There are some gaps in real world practice of information security incident management that could be met with attention to planning and implementation.
Industry can follow the security standards but the standards aren’t enough to keep industry secure.
Funded by: 
Hosted by: 
Copyright © 2019 SERENE-RISC, All rights Reserved. Terms and Conditions of Use