Security Incident Management

The organization should have an appropriate security incident management program. Consideration should be given to standards such as ISO/IEC 27035. The organization should create a security incident management program which should include, but not be limited to, the following stages:

  1. Plan and prepare.
  2. Detection and reporting.
  3. Assessment and decision.
  4. Responses.
  5. Lessons learnt.


Plan and prepare

The organization should establish formal security incident management policies and procedures. The policies and procedures should include, but not be limited to:

  1. Formation of a security incident response team which should include appropriate members based on authority of decision making, technical expertise etc.
  2. Categorization and classification of security events/incidents based on actual or projected adverse impacts with examples of the risks identified by the risk management process.
  3. Guidance and/or decision tree/flow-chart which includes time scales to determine the level of escalation required including function and/or names to whom escalation should be done.
  4. A standard information security event/incident database structure/system in order to be able to record, analyze and report on events/incidents.
  5. Procedures which test the security organization’s alertness and response. Procedures should include both announced and unannounced tests.
  6. Procedures which ensure that security events/incidents are properly recorded.
  7. Procedures for regularly analyzing security events/incidents as per the problem management process and propose changes to enable improvement plans via the change management process.
  8. Procedures to ensure that all contact information is regularly reviewed and updated where needed.


Detection and reporting