ISO 27001 information security event vs. incident vs. non-compliance
No environment can be 100% secure. Problems (which can be broadly described as “occurrences” or “deviations”) will happen, but not all problems need to be treated the same way, and this can have a significant impact on the effort, and costs, of security management.
This article will present three concepts used by ISO 27001, the leading standard for information security management, that can help organizations handle security occurrences in a more efficient way: security events, security incidents, and non-compliances.
Definitions of event, incident, and non-compliance, and how differentiate among them
For the purposes of ISO 27001, the ISO 27000 standard, which defines the vocabulary for ISO information security management, uses the following concepts:
Information security event: any occurrence related to assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security.
Information security incident: one or more information security events that compromise business operations and information security.
Information security non-compliance: any situation where a requirement is not being fulfilled.
To differentiate among these concepts, note that:
- information security event refers to something that can affect risk levels, without necessarily impacting the business or information. For example, a suspicious person walking near a protected area represents a momentary increase in risk, but does not affect business results or compromise information;
- information security incident refers to something that in fact negatively affected the business or information which should be protected. Examples include a loss of information or an operations delay due to information system malfunction;
- non-compliance refers to something you should be doing, but are not. For example, backup copies are not being generated as defined in the Backup Policy.
It is important to note that events and incidents also may fall under non-compliance at the same time. For example, in the previous example of a security event, let’s imagine that surveillance cameras covering the area are installed as a security measure. If the suspicious person was identified by an employee report instead of the cameras’ operator (e.g., because he was not paying attention), then this is a non-compliance regarding the cameras’ operation, even if there is no negative impact on the business or its information. In the example of the security incident, if the cause was a change not being performed according to the Change Control Policy, then this is also a non-compliance together with the incident.
Understanding the above-mentioned concepts and their differences is paramount to increase efficiency in the handling of security occurrences.
Treating events, incidents, and non-compliances
The different concepts of events, incidents, and non-compliances also mean that treating them must be done in different ways in order to prevent wasted resources, or the use of insufficient measures, leading to a recurrence of the unwanted situations. Here is how you can approach them:
Events: these just need to be recorded for future analysis. When performing the analysis (normally during monitoring and measurement of processes), if the quantity of similar occurrences in the period is significant, there may be a need to review the risk assessment, policies, or procedures. For more information, please read How to perform monitoring and measurement in ISO 27001.
Incidents: because they affect the business or its information, incidents require immediate action to contain the impact (if an incident is still happening after identification), and to recover normal operational conditions. Like events, they need to be recorded for future analysis during the monitoring and measurement of processes. For detailed information, please read How to handle incidents according to ISO 27001 A.16 and Logging and monitoring according to ISO 27001 A.12.4.
Non-compliance: like other management system standards, ISO 27001 requires action to control and correct any non-compliance, as well as to handle its consequences. Additionally, an organization has to evaluate the need to eliminate root causes in order to prevent recurrence. In cases where actions to eliminate root causes are taken, they must be reviewed for their effectiveness. For more information, see Practical use of corrective actions for ISO 27001 and ISO 22301.
Most organizations address incidents and non-compliance with reactive actions, and the key to increase the effectiveness of occurrence handling is to work in a preventive way, periodically evaluating the events log and root causes of non-compliances to identify patterns that may lead to new incidents and their related non-compliances. This way, you will be decreasing the probability of new incidents happening and of having to allocate extra resources to handle their consequences.
An additional approach is to work on policies, procedures, and controls so they are not excessively strict, in this way decreasing the occurrence of non-compliance. In this case, you have to balance the risk level with the rigor of policies, procedures, and controls. For more information, please read How detailed should the ISO 27001 documents be?
Be wise; do not use cannons on flies
Operational efficiency is paramount for any businesses. Often, information security is seen as an expense, so every effort to decrease not only costs related to incidents, but also to handling security occurrences in general, will be seen as a proactive measure.
By using the ISO 27001 framework and its related concepts to address information security occurrences, an organization can minimize its efforts and costs to keep the business running with acceptable levels of risks to its information and that of its customers.
To learn more on how to make your information secure, try this free Security Awareness Training.