ISO 27001 - Annex A.16 - information security incident management

What is Annex A 16?

Annex A.16 outlines the requirements for managing information security incidents, and organisations of all types and sizes should familiarise themselves with the best practices for preventing and responding to security incidents. Before we look at these individual requirements, it's important to understand what qualifies as information security incidents, and why incident management is important for your organisation. 

What are information security incidents?

Any action that threatens the security of information technology operations or violates established responsible use policies can be considered as an information security incident. 

These threats may be suspected, successful or attempted, and may cause risk of unauthorised access, release, use, loss, damage, breach or alteration of information. Some examples of such incidents are:

• Unauthorised changes to installed software
• Compromise of physical and environmental security, such as damage of company devices
• Breach of accounts or disclosure of passwords and cryptographic keys

While incidents are unlikely to be reported unless they are serious (capable of causing harm), it is important to develop an airtight incident management program for the following reasons. 

Why is information security incident management important?

Information security incidents are inevitable, and hackers and other malicious parties stand to gain from these incidents. Therefore, incident management is necessary to reduce the impact of incidents and prevent them from reoccurring in the future. 

Effective information security programs consider all facets of an organisation and show you where its weaknesses lie. The requirements of information security incident management fall under 7 key areas which are explored in detail below.

What are the Annex A.16 controls?

Annex A.16 comprises 7 controls focused on information security incident management. These controls outline the requirements for identifying and managing information security weaknesses, events and incidents.

A.16.1 Management of information security incidents, events and weaknesses

The objective of A.16.1 is to ensure your organisation maintains a sound approach to managing and reporting information security incidents, such as breaches, unauthorised disclosure, destruction or loss of information, among others.  

• A.16.1.1 Responsibilities & Procedures
  
  Prompt and effective action must be taken in the event of a security incident. To ensure this, management responsibilities and procedures should be established. When establishing management responsibilities and developing information security procedures, the following actions should be considered:
• Planning and preparing incident response
• Monitoring, detecting, analysing and reporting information security events
• Logging incident management activities
• Handling forensic evidence
• Assessing and deciding on information security events and weaknesses
• Responding to a security incident, both internally and externally

It is important that all procedures ensure that information security incidents are handled by competent personnel, and that appropriate points of contact, both within and outside of the organisation, are identified and established for the handling of information security issues.

Reporting procedures should include the following:

• Reporting forms that support the reporting action and log all necessary actions in the event of an information security event
• Next steps to be followed in the event of an information security event
• The formal disciplinary process to be followed in the case of employees who commit security breaches
• An organised feedback process to ensure that parties concerned are updated on the progress and results of reported information security events

All those responsible for information security incident management must be made aware of these processes, and all processes must be agreed upon with management. 

• A.16.1.2 Reporting Information Security Events
  
  Information security incidents should be reported, as and when they occur or as early as possible, through appropriate management channels. All parties concerned should be made aware of their reporting responsibilities, reporting procedures and points of contact in the event an information security incident occurs.
  
  
• A.16.1.3 Reporting Information Security Weaknesses
  
  All parties who have access to and use the organisation’s information systems and services are required to take note of and report any observed or suspected weaknesses and incidents. The reporting procedure and mechanism should be easily accessible so parties may report weaknesses to the established point of contact as quickly as possible, with the objective of preventing incidents from occurring.
  
  
• A.16.1.4 Assessment of & Decision on Information Security Events
  
  Information security events require assessment before being classified as “incidents”. Established points of contact must evaluate information security events using an agreed-upon classification scale to assess the impact and extent of the event, and whether it qualifies as a security incident. The results of this assessment must be recorded for future reference and verification purposes. In summary, this process can be broken down into the following stages:

1. Identification, prioritisation and assessment
2. Containment
3. Investigation/ “root cause” analysis 
4. Response
5. Follow up
   
   

• A.16.1.5 Response to Information Security Incidents
  
  The response to an information security incident should be in accordance with documented procedures. A nominated point of contact, and other relevant internal or external parties, should respond to information security incidents. 
  
  The following should be done as part of the response:
• Promptly collecting evidence
• Conducting information security forensics analysis
• Escalating incidents as required
• Logging all response activities for future analysis
• Communicating the details of information security incident to relevant parties, both internal and external
• Addressing any contributing or causative information security weaknesses
• Formally closing and recording the incident once completely addressed and actioned
• Analysing the incident to identify the source
  
  
• A.16.1.6 Learning from Information Security Incidents
  
  Once incidents are resolved, all related knowledge must be used to ensure prevention of future incidents. The types, volumes, and costs of information security incidents must be quantified and monitored with effective mechanisms. Through these evaluations, resulting information should be utilised effectively to identify and prevent recurring or high-impact incidents.
  
  
• A.16.1.7 Collection of Evidence
  
  Procedures are required for identifying, collecting, acquiring, and preserving information. This evidence can be used to decide on disciplinary and/or legal action, and internal procedures should take the following into account:
• Chain of custody
• Safety of evidence
• Safety of personnel
• Roles and responsibilities of personnel involved
• Competency of personnel
• Documentation
• BBriefing

Whenever possible, the value of evidence should be strengthened with certification or other relevant supporting resources.  

Conclusion

Annex A controls comprise 114 individual controls that aren’t mandatory, but can be selected according to your organisation’s information security objectives. 

In summary, Annex A.16 covers the importance of information security incident management through 7 controls that outline procedure development, reporting mechanisms and response. Annex A.16 aims to strengthen your organisation’s incident management approach and reduce the impact and occurrence of future incidents. 

Schedule a call with our experts to learn how you can strengthen your organisation’s information security framework!