Information Security Incident Process
Introduction
This is the Incident Management process that goes together with the ISO 27001 App for SharePoint.
Users, owners of monitoring and alert services and 3rd parties are required to report information security weaknesses and events to the Information Security Manager.
The Information Security Manager is responsible for coordinating and managing the response to the reported weakness or event, including documentation of all emergency steps taken, evidence collection, and closing out the event.
The ISO 27001 App for SharePoint will automatically report back to the person who raised the event/weakness and describe how the event was dealt with and closed out.
The incident report is assessed and categorised by the Information Security Manager. There are three categories: events, weaknesses and incidents.
- ‘Events’ are occurrences that, after analysis, have no (or very minor) importance for information security;
- ‘Vulnerabilities’ are weaknesses that, after analysis, clearly exist as significant weaknesses compromising information security;
- ‘Incidents’ are occurrences of events (or series of events) that have a significant probability of compromising information security;
The prioritisation for responses, when there are multiple event reports to deal with, is:
- Incidents
- Vulnerabilities
- Events.
The root cause of the issue is determined.
The containment and corrective action is determined. If the security incident involved a personal data breach it should also be determined if the Data Protection Authority should be informed.
Agree a course of action and timescale to correct the issue, dependent upon the effect the issue is likely to have. The agreed actions may rectify and prevent recurrence of the issue, or the consequences can be accepted (link to risk).
Timescales for completion should have regard to the cost/benefit of the incident and other reasonable business priorities.
The incident might also give rise to a risk which should be linked.