Rhand Leal
November 10, 2015
Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
All required policies, procedures, and forms to implement an ISMS according to ISO 27001.
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful ISMS.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.
All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.
All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.
Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.
Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.
All required policies, procedures, and forms to implement a QMS according to ISO 9001.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.
All required policies, procedures, and forms to implement an EMS according to ISO 14001.
Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.
Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.
All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.
Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.
Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.
All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.
Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.
Compliance products for the European Union’s Medical Device Regulation.
All required policies, procedures, and forms to comply with the EU MDR.
Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.
All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.
Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.
All required policies, procedures, and forms to implement a BCMS according to ISO 22301.
Implementation products for testing and calibration laboratories according to the ISO 17025 standard.
All required policies, procedures, and forms to implement ISO 17025 in a laboratory.
Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.
All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.
Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.
All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.
Implementation, maintenance, training, and knowledge products for consultancies.
Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.
All required policies, procedures, and forms to implement various standards and regulations for your clients.
Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.
Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.
Implementation, maintenance, training, and knowledge products for the IT industry.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance, training, and knowledge products for essential and important organizations.
Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for manufacturing companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for transportation & distribution companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for schools, universities, and other educational organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for telecoms.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for local, regional, and national government entities.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for hospitals and other health organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the medical device industry.
Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the aerospace industry.
Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the automotive industry.
Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for laboratories.
Documentation to comply with ISO 17025 (testing and calibration laboratories) and ISO 9001 (quality).
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Incident management is one of the key processes to ensure the effectiveness of any business operation. With more or less sophistication and maturity, practically any organization has practices in place to deal with undesired events, and some of these were so commonplace that they became industry good practices and the basis for worldwide standards.
As an older practice, ITIL incident management has been helping many organizations for a long time to deal with IT incidents in a manner that quickly restores business operations. However, with the evolving preoccupation with information security, and the adoption of an ISO 27001 certified ISMS, practitioners are facing a new challenge: preserving ITIL incident management process effectiveness while achieving compliance with ISO 27001 requirements.
In this article, I will present what an organization should consider to ensure its ITIL incident management process is compliant with ISO 27001 requirements for an ISMS certification, considering similarities, gaps, and orientations to achieve alignment.
As part of service operation, incident management aims to manage the lifecycle of all Incidents. Its primary objective is to return the IT service to users as quickly as possible. The incident management sub-processes and objectives are:
Incident Management Support: aims to provide and maintain the resources (e.g., tools, processes, skills, and rules) for effective and efficient incident handling.
Incident Logging and Categorization: aims to record and prioritize incidents with appropriate diligence, facilitating a swift and effective resolution.
Incident Resolution: aims to solve incidents within the agreed time schedule, considering workarounds, support levels, and major incident treatment. It may start the problem management process.
Incident Monitoring and Escalation: aims to continuously monitor the processing status of incidents, ensuring timely proper counter-measures deployment if service levels are likely to be breached.
Incident Closure and Evaluation: aims to make sure that incidents are actually resolved and that all relevant information is supplied for future use (e.g., process improvement, legal action, etc.).
Pro-Active User Information: aims to inform users of service failures and alerts, so they are in a position to adjust themselves to interruptions and events, reducing the number of inquiries by users.
Incident Management Reporting: aims to supply incident-related information to the other service management processes, and to ensure that improvement potentials are derived from past incidents.
To deal with incident management, ISO 27001 has clauses and a whole annex category (A.16 – Information security incident management).
These clauses cover the seven sub-processes of ITIL mentioned in the previous section, and need little to practically no adjustment to ensure compliance:
ISO 27001 Clauses | ITIL Incident Management Sub-processes |
5.1 — Leadership and commitment | Incident Management Support clearly states the need for resources, skill, and knowledge. |
7.2 — Competency | |
5.3 — Organizational roles, responsibilities and authorities | For all sub-processes, responsibilities are defined only concerning the incident management process (e.g., incident manager, incident support team, etc.).An organization should define which specific business roles (e.g., production manager, client relationship manager, etc.) are included in the incident management process. For procedures, the needs are clear (by the means of workarounds and escalation criteria). |
A.16.1.1 — Responsibilities and procedures | |
A.16.1.4 — Assessment of and decision on information security events | Incident Logging and how to deal with the incident must be made. |
A.16.1.5 — Response to information security incidents | Incident Resolution clearly covers the objective of this control. |
A.16.1.6 — Learning from information security incidents | Incident Management Reporting is a clear source for providing continual improvement to the ISMS. |
These are some gaps in the ITIL Incident Management process that can be solved by the application of ISO 27001 controls:
ITIL Incident Management Sub-processes | GAP | ISO 27001 Annex A Control |
Pro-Active User Information | The communication flow is clear only from the process to users. The process should provide clear ways for users to communicate events and security weaknesses (e.g., in the form of the organization’s Intranet, a phone line, etc.). | A.16.1.2 – Reporting information security events |
A.16.1.3 – Reporting security weakness | ||
Incident Resolution | It is not clear how information and material evidence should be handled, and by whom, to ensure its legal acceptance. A forensic procedure should be considered. | A.16.1.7 – Collection of evidence |
While not critical to the processes, the following ISO 27001 Annex A controls may improve the effectiveness of ITIL incident management, while at the same time ensuring conformity of other ITIL process with ISO 27001 requirements:
ITIL Incident Management Sub-processes | ISO 27001 Annex A Control | Potential improvement |
No specific incident management sub-process | A.11.2.4 – Equipment maintenance | Proper maintenance ensures assets’ continued availability and integrity, reducing incidents’ probability of occurrence. |
Incident Management Support | A.12.1.3 – Capacity management | Ensures compliance of ITIL capacity management process with ISO 27001.
A better knowledge of the current capacity and future demands may improve resource allocation to better deal with incidents with reduced costs. |
Incident Monitoring and Escalation | A.12.4.1 – Fault logging | May help increase / organize information available, reducing incidents’ probability of occurrence and incident time response. |
As stated before, ITIL incident management has long been helping organizations worldwide to effectively deal with undesired IT events, but as information security management is making its way to become a top management concern, IT managers should be prepared to include new sources of requirements without losing performance.
My advice in this matter is: know well these new requirements, and even better, your processes. Since ITIL and ISO 27001 are based on world-wide best practices, they will have a lot in common, and knowing that, and taking advantage of what already exists and can be integrated, will prove very helpful for your team and organization’s resources.
This ITSM Incident Management Toolkit give you lots of help in complying with ISO 27001 incident management requirements.
Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.
Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
You may unsubscribe at any time. For more information, please see our privacy notice.