CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Rhand Leal

Using ITIL to implement ISO 27001 incident management

Incident management is one of the key processes to ensure the effectiveness of any business operation. With more or less sophistication and maturity, practically any organization has practices in place to deal with undesired events, and some of these were so commonplace that they became industry good practices and the basis for worldwide standards.

As an older practice, ITIL incident management has been helping many organizations for a long time to deal with IT incidents in a manner that quickly restores business operations. However, with the evolving preoccupation with information security, and the adoption of an ISO 27001 certified ISMS, practitioners are facing a new challenge: preserving ITIL incident management process effectiveness while achieving compliance with ISO 27001 requirements.

In this article, I will present what an organization should consider to ensure its ITIL incident management process is compliant with ISO 27001 requirements for an ISMS certification, considering similarities, gaps, and orientations to achieve alignment.

ITIL Incident Management


As part of service operation, incident management aims to manage the lifecycle of all Incidents. Its primary objective is to return the IT service to users as quickly as possible. The incident management sub-processes and objectives are:

Incident Management Support: aims to provide and maintain the resources (e.g., tools, processes, skills, and rules) for effective and efficient incident handling.

Incident Logging and Categorization: aims to record and prioritize incidents with appropriate diligence, facilitating a swift and effective resolution.

Incident Resolution: aims to solve incidents within the agreed time schedule, considering workarounds, support levels, and major incident treatment. It may start the problem management process.

Incident Monitoring and Escalation: aims to continuously monitor the processing status of incidents, ensuring timely proper counter-measures deployment if service levels are likely to be breached.

Incident Closure and Evaluation: aims to make sure that incidents are actually resolved and that all relevant information is supplied for future use (e.g., process improvement, legal action, etc.).

Pro-Active User Information: aims to inform users of service failures and alerts, so they are in a position to adjust themselves to interruptions and events, reducing the number of inquiries by users.

Incident Management Reporting: aims to supply incident-related information to the other service management processes, and to ensure that improvement potentials are derived from past incidents.

Compliance with ISO 27001

To deal with incident management, ISO 27001 has clauses and a whole annex category (A.16 – Information security incident management).

These clauses cover the seven sub-processes of ITIL mentioned in the previous section, and need little to practically no adjustment to ensure compliance:

ISO 27001 ClausesITIL Incident Management Sub-processes
5.1 — Leadership and commitmentIncident Management Support clearly states the need for resources, skill, and knowledge.
7.2 — Competency
5.3 — Organizational roles, responsibilities and authoritiesFor all sub-processes, responsibilities are defined only concerning the incident management process (e.g., incident manager, incident support team, etc.).An organization should define which specific business roles (e.g., production manager, client relationship manager, etc.) are included in the incident management process. For procedures, the needs are clear (by the means of workarounds and escalation criteria).
A.16.1.1 — Responsibilities and procedures
A.16.1.4 — Assessment of and decision on information security eventsIncident Logging and how to deal with the incident must be made.
A.16.1.5 — Response to information security incidentsIncident Resolution clearly covers the objective of this control.
A.16.1.6 — Learning from information security incidentsIncident Management Reporting is a clear source for providing continual improvement to the ISMS.


These are some gaps in the ITIL Incident Management process that can be solved by the application of ISO 27001 controls:

ITIL Incident Management Sub-processesGAPISO 27001 Annex A Control
Pro-Active User InformationThe communication flow is clear only from the process to users. The process should provide clear ways for users to communicate events and security weaknesses (e.g., in the form of the organization’s Intranet, a phone line, etc.).A.16.1.2 – Reporting information security events
A.16.1.3 – Reporting security weakness
Incident ResolutionIt is not clear how information and material evidence should be handled, and by whom, to ensure its legal acceptance. A forensic procedure should be considered.A.16.1.7 – Collection of evidence


While not critical to the processes, the following ISO 27001 Annex A controls may improve the effectiveness of ITIL incident management, while at the same time ensuring conformity of other ITIL process with ISO 27001 requirements:

ITIL Incident Management Sub-processesISO 27001 Annex A ControlPotential improvement
No specific incident management sub-processA.11.2.4 – Equipment maintenanceProper maintenance ensures assets’ continued availability and integrity, reducing incidents’ probability of occurrence.
Incident Management SupportA.12.1.3 – Capacity managementEnsures compliance of ITIL capacity management process with ISO 27001.

A better knowledge of the current capacity and future demands may improve resource allocation to better deal with incidents with reduced costs.

Incident Monitoring and EscalationA.12.4.1 – Fault loggingMay help increase / organize information available, reducing incidents’ probability of occurrence and incident time response.


Do not reinvent the wheel. Improve it!

As stated before, ITIL incident management has long been helping organizations worldwide to effectively deal with undesired IT events, but as information security management is making its way to become a top management concern, IT managers should be prepared to include new sources of requirements without losing performance.

My advice in this matter is: know well these new requirements, and even better, your processes. Since ITIL and ISO 27001 are based on world-wide best practices, they will have a lot in common, and knowing that, and taking advantage of what already exists and can be integrated, will prove very helpful for your team and organization’s resources.

This ITSM Incident Management Toolkit give you lots of help in complying with ISO 27001 incident management requirements.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.