{"id":5311,"date":"2015-10-13T21:46:01","date_gmt":"2015-10-13T21:46:01","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/20000academy\/?p=5311"},"modified":"2025-07-05T09:10:36","modified_gmt":"2025-07-05T09:10:36","slug":"security-incidents-how-to-approach-them-using-itil-and-iso-20000","status":"publish","type":"post","link":"https:\/\/advisera.com\/20000academy\/blog\/2015\/10\/13\/security-incidents-how-to-approach-them-using-itil-and-iso-20000\/","title":{"rendered":"Security incidents \u2013 How to approach them using ITIL and ISO 20000"},"content":{"rendered":"<p>A great deal has already been said about incidents. Actually, I think that I\u2019m not wrong when I say that Incident Management is the most commonly implemented process in IT Service Management (ITSM). And, that\u2019s perfectly logical and reasonable.<\/p>\n<p>Both <a href=\"https:\/\/advisera.com\/20000academy\/what-is-itil\/\" target=\"_blank\" rel=\"noopener noreferrer\">ITIL<\/a>\u00a0and <a href=\"https:\/\/advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a> define an approach for how to handle incidents. But, both of them pay particular attention to the security-related incidents. And, that\u2019s logical and reasonable, too.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">What\u2019s the importance?<\/h2>\n<p>In general, <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=resolution-and-fulfillment-processes&amp;doc=incident-management-process\" target=\"_blank\" rel=\"noopener\">incidents<\/a> are highly visible to your users (i.e., people using your services) and customers (i.e., those who pay for using your services). Take e-mail service as an example. Can you imagine how your users would feel if or when that service became unavailable? Actually, you don\u2019t have to do that, because you know the answer. And, they would have the same feelings if their e-mail service started having interruptions or malfunctions, i.e., incidents started to occur.<\/p>\n<p>And, you know what? Incidents could get worse \u2013 when they are security related. Basically, security-related incidents mean that not all incidents are the same. Let me get back to the e-mail service example again. A security-related example would mean that, e.g., someone\u2019s account is compromised, meaning an unauthorized person has access to it, or that a lot of SPAM is sent from someone\u2019s corporate account. In both cases the issue is not only that, e.g., that user can\u2019t use the service for some time (that would be a case when a \u201cnormal\u201d incident occurs), but that the company could have a significant financial loss (e.g., sensitive data are revealed because an unauthorized person has access to the e-mail account) or all corporate e-mails are banned by SPAM filters due to unsolicited e-mail that is sent.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">How do you handle them?<\/h2>\n<p>As you can see, not all incidents are the same; i.e., security-related incidents are usually more visible than others. It\u2019s reasonable to ask \u2013 how can you distinguish them? As we already explained (see the article <a href=\"https:\/\/advisera.com\/20000academy\/knowledgebase\/incident-classification\/\" target=\"_blank\" rel=\"noopener noreferrer\">All About Incident Classification<\/a>, incidents have different categories and priorities. That\u2019s the mechanism companies use to differentiate security-related incidents from others \u2013 a separate category is defined in the <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?_gl=1*1c227dk*_ga*MTM1NjQ0NTEwMS4xNjcxNTI4MDcz*_ga_SBHEDSXFP5*MTY3MTcwOTg0Ny44LjEuMTY3MTcxMDc5My41NS4wLjA.\" target=\"_blank\" rel=\"noopener noreferrer\">incident catalogue<\/a>\u00a0(that\u2019s a list of all incident categories) and the priority matrix is more conservative (i.e., security incidents are always assigned higher or highest priorities \u2013 I have seen an organization where security-related incidents always get highest priority).<\/p>\n<p>A key activity in defining the category and priority for security incidents is risk assessment, which will enable differentiation between different kinds of security incidents. Actually, ITIL will advise you, and ISO 20000 will oblige you to do the risk assessment. That means that you will have to analyze potential threats (sources of a security breach, e.g., unauthorized access to the e-mail account) and respective vulnerabilities (what can be exploited from that particular threat, e.g., weak password) and define controls to eliminate and manage that risk (e.g., a password policy in place that defines password complexity and frequent renewal of the password). Once you have analyzed your risks, you can assign priorities to particular types of risks. The benefits of risk assessment are twofold: priority, i.e., category is defined, as well as <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=corrective-or-preventive-action-form\" target=\"_blank\" rel=\"noopener\">preventive measures<\/a> to mitigate or manage such risks.<\/p>\n<p>Whatever your risk assessment method looks like, one thing is certain \u2013 security-related incidents should be handled by Incident Management (or, in ISO 20000, Incident and Service Request Management). Use this article: <a href=\"https:\/\/advisera.com\/20000academy\/blog\/2013\/05\/21\/incident-management-itil-solid-foundations-operational-processes\/\" target=\"_blank\" rel=\"noopener noreferrer\">Incident Management in ITIL \u2013 solid foundations of operational processes<\/a> to learn more about the <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=resolution-and-fulfillment-processes&amp;doc=incident-management-process\" target=\"_blank\" rel=\"noopener\">Incident Management process<\/a>. In this way you will have efficient management of such incidents, with a defined process in place; activities, roles, and responsibilities; and a tool where all details are documented.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Once under control \u2013 what\u2019s next?<\/h2>\n<p>Even if you have the perfect priority table or incident catalogue, there is always something you could do in order to be better. In the case of security-related incidents, to be better means that security incidents happen as rarely as possible. Therefore, you should analyze them. That means that you will look for the same kind of incidents, group them, and look for their root cause (that can include proactive Problem Management as well). Other criteria during analysis could be number of incidents or their impact.<\/p>\n<p>The bottom line is that you are proactive. Once you start the analysis you will notice that many incidents contain common elements. Once you have eliminated those elements, you (most probably) will have resolved all such incidents in the future.<\/p>\n<p>There is one more benefit of doing analyses \u2013 reports. Security-related incidents are sensitive. It could happen that they cause customer data loss (through, e.g., information leakage) or material costs. And that would interest your management. So, my experience is that you should be ready. Have your reports not only for your own reasons (e.g., improvement of existing processes or technological solutions), but also to answer some unpleasant questions from your management. Or even some public authority.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Lessons learned<\/h2>\n<p>I\u2019m sure that you have experienced some kind of security incidents. And, most probably, you felt better when you were aware that someone (who works on resolutions to such incidents) knew what he\/she was doing. Believe me, so will your users. Security incidents can be very painful (remember stolen credit cards or millions of e-mail accounts revealed), but it\u2019s even more painful when users see that someone doesn\u2019t know how to approach them.<\/p>\n<p><em>To implement ISO 20000 easily and efficiently, use our<\/em> <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 20000 Documentation Toolkit<\/a> <em>that provides step-by-step guidance for full ISO 20000 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A great deal has already been said about incidents. Actually, I think that I\u2019m not wrong when I say that Incident Management is the most commonly implemented process in IT Service Management (ITSM). And, that\u2019s perfectly logical and reasonable. Both ITIL\u00a0and ISO 20000 define an approach for how to handle incidents. But, both of them &#8230;<\/p>\n","protected":false},"author":32,"featured_media":17425,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[357,438,366,344,496],"class_list":["post-5311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-incident-management","tag-information-security","tag-iso-20000","tag-itil","tag-security-incidents"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/5311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/comments?post=5311"}],"version-history":[{"count":3,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/5311\/revisions"}],"predecessor-version":[{"id":18509,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/5311\/revisions\/18509"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/media\/17425"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/media?parent=5311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/categories?post=5311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/tags?post=5311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}