The basics
ISO 27001 control A.5.25 Assessment and decision on information security events requires companies to verify if deviations in normal operational conditions should be classified as information security incidents in order to classify and prioritize incidents.
Documentation
ISO 27001 control A.5.25 Assessment and decision on information security events can be documented by writing an Incident Management Procedure.
This procedure is not a mandatory document but is recommended for all companies.
Implementation
In order to comply with control A.5.25 Assessment and decision on information security events you might implement the following:
- Technology — the technology to assess and classify information about security events in most cases will be already available in the company. Smaller companies will probably be able to use office applications (e.g., Inventory spreadsheets from MS Excel, Apple Numbers, or Google Sheets), whereas larger companies probably need some software that centralizes incident management from start to end.
- Organization/processes — you should set up a process for defining who is in charge of reporting and assessing security events, which criteria must be used for the assessment, and who is in charge of deciding how to classify security events. You can document those processes through Incident Management Procedure.
- People — make employees aware of why assessing security events is needed, and train them on the criteria to use for security event assessment.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.25 Assessment and decision on information security events: if deviations from normal activities are recognized, and classified as incidents if necessary.
