A.16. Information security incident management
An incident is defined as any disruption in IT service. Incident management deals with handling incident and ensures to restore IT service soon as possible. The A.16. clause of the ISO 27001 provides appropriate methods to manage any information security incidents that may take due to a series of unforeseen adverse events. It also formulates strategies for improvements in the information security domain. Information security incident management ensures a consistent & effective approach to the organisation's management about information security incidents, security events and weaknesses.
This clause fortifies the management's responsibilities and procedures to ensure a quick, effective and orderly response to information security incidents. The information security events are reported through appropriate management channels as quickly as possible which helps the employees and contractors to report any observed or suspected information security weaknesses in systems or services.
The information security events are assessed thereafter to decide if they are to be classified as information security Incidents or not. The events which are classified as information security incidents shall be responded to in accordance with the documented procedures. Some of the activities which are conducted in incident management are as follows:
- Understanding what exactly has gone wrong
- Understanding chronological order of the events
- Confirming the full impact of the incident
- Identifying any events that could have triggered the incident
- Searching for previous similar kind of incidents
There are always some incidents which are not new. They may happen again over a period of time. Therefore, it is best practice to have pre-defined model to handle such incidents. The knowledge gained from analysing and resolving information security incidents should be stored & used to reduce the likelihood or impact of future incidents. The organisation has to define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.