ISO 27001 information security event vs. incident vs. non-compliance

Update 2022-04-25.

No environment can be 100% secure. Problems (which can be broadly described as “occurrences” or “deviations”) will happen, but not all problems need to be treated the same way, and this can have a significant impact on the effort, and costs, of security management.

This article will present three concepts used by ISO 27001, the leading standard for information security management, that can help companies handle security events, security incidents, and non-compliances in a more efficient way. We’ll learn about the definitions of these concepts and how to differentiate among them.

For the purposes of ISO 27001, the ISO 27000 standard, which defines the vocabulary for ISO information security management, uses the following concepts.

  • An information security event in ISO 27001 is any occurrence related to assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security.
  • An information security incident is one or more information security events that compromise business operations and information security.
  • Information security non-compliance is any situation where a requirement is not being fulfilled.

Information security event in ISO 27001

An information security event is any occurrence related to assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security.

It is also a change in the normal or expected behavior of a system, network, or service. An event doesn’t always have to cause an incident. There may be many attacks to your network blocked by your firewall or antivirus, which are all events, but do not harm your system or data; so, they are not incidents.

Information security incident in ISO 27001

An information security incident is one or more information security events that compromise business operations and information security.

An information security incident is caused by event that has the potential to affect the confidentiality, integrity, or availability of information. Theft or loss of equipment, such as a company laptop containing classified or sensitive information stolen from bag or forgotten at an airport lounge, is an example of an information security incident.

Information security non-compliance

Information security non-compliance is any situation where a requirement is not being fulfilled.

For example, the Access Control Policy requires access for new employees to be approved by the head of the department, whereas the access is approved by the system administrator.

Differences and how to recognize each concept

To differentiate among these concepts, and to learn to recognize each, note that:

  • information security event refers to something that can affect risk levels, without necessarily impacting the business or information. For example, a suspicious person walking near a protected area represents a momentary increase in risk, but does not affect business results or compromise information.
  • information security incident refers to something that in fact negatively affected the business or information which should be protected. Examples include a loss of information or an operations delay due to information system malfunction, such as a DDoS attack or a fire at the server room. Not all events are incidents, but all incidents are events. Events don’t have to be negative – incidents always are.
  • non-compliance refers to something you should be doing, but are not. For example, backup copies are not being generated as defined in the Backup Policy.

It is important to note that events and incidents may also fall under information security non-compliance at the same time. For example, in the previous example of a security event, let’s imagine that surveillance cameras covering the area are installed as a security measure. If the suspicious person was identified by an employee report instead of the cameras’ operator (e.g., because he was not paying attention), then this is a non-compliance regarding the cameras’ operation, even if there is no negative impact on the business or its information. In the example of the security incident, if the cause was a change not being performed according to the Change Control Policy, then this is also a non-compliance together with the incident.


ISO 27001 information security event vs. incident vs. non-compliance

Let’s see the differences between these three concepts using an example of a hacker attack:

  • Security event: A hacker attempts to gain access to a system or data without success.
  • Security incident: A hacker successfully gains access to the system; he changes some files and copies some data.
  • Non-compliance: The network was not protected against hacker attacks with a firewall, although the company procedure said so.

Understanding the abovementioned concepts and their differences is paramount to increase efficiency in the handling of security occurrences.

ISO 27001 Information security event, incident, & non-compliance

Treating events, incidents, and non-compliances

The different concepts of events, incidents, and non-compliances also mean that treating them must be done in different ways in order to prevent wasted resources, or the use of insufficient measures, leading to a recurrence of the unwanted situations. Here is how you can approach them:

Events: these just need to be recorded for future analysis. When performing the analysis (normally during monitoring and measurement of processes), if the quantity of similar occurrences in the period is significant, there may be a need to review the risk assessment, policies, or procedures. For more information, please read How to perform monitoring and measurement in ISO 27001.

Incidents: because they affect the business or its information, incidents require immediate action to contain the impact (if an incident is still happening after identification), and to recover normal operational conditions. Like events, they need to be recorded for future analysis during the monitoring and measurement of processes. For detailed information, please read How to handle incidents according to ISO 27001 A.16 and Logging and monitoring according to ISO 27001 A.12.4.

Non-compliance: like other management system standards, ISO 27001 requires action to control and correct any non-compliance, as well as to handle its consequences. Additionally, an organization has to evaluate the need to eliminate root causes in order to prevent recurrence. In cases where actions to eliminate root causes are taken, they must be reviewed for their effectiveness. For more information, see Practical use of corrective actions for ISO 27001 and ISO 22301.

Most organizations address incidents and non-compliance with reactive actions, and the key to increase the effectiveness of occurrence handling is to work in a preventive way, periodically evaluating the events log and root causes of non-compliances to identify patterns that may lead to new incidents and their related non-compliances. This way, you will be decreasing the probability of new incidents happening and of having to allocate extra resources to handle their consequences.

An additional approach is to work on policies, procedures, and controls so they are not excessively strict, in this way decreasing the occurrence of non-compliance. In this case, you have to balance the risk level with the rigor of policies, procedures, and controls. For more information, please read How detailed should the ISO 27001 documents be?

Be wise; do not use cannons on flies

Operational efficiency is paramount for any businesses. Often, information security is seen as an expense, so every effort to decrease not only costs related to incidents, but also to handling security occurrences in general, will be seen as a proactive measure.

It’s important for a company to determine its compliance obligations and to have its own threshold for defining if something is an event or an incident.

By using the ISO 27001 framework and its related concepts to address information security occurrences, an organization can minimize its efforts and costs to keep the business running with acceptable levels of risks to its information and that of its customers.

To help you automate incident management according to ISO 27001, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.


Advisera Tolga Aktaş
Contributor
Tolga Aktaş

Tolga Aktaş has been working in various disciplines of management systems for more than 15 years. Tolga is an accredited lead auditor for the ISO 9001, 14001, 18295, 22301, 27001, 27701, 37001, and 55001 standards and has conducted audits as a freelancer for internationally accredited conformity assessment companies. He is also an accredited lead auditor trainer for ISO 22301, 27001, and 27701. He conducts workshops and webinars, and provides consultancy services on management systems to organizations mainly in Turkey, the UK, the EU, Qatar, UAE, Germany, and Japan. Tolga holds a Master of Business Administration degree.