The basics
ISO 27001 control A.5.27 Learning from information security incidents requires companies to improve information security controls based on knowledge gained over previous information security incidents, in order to prevent incidents recurrence and minimize their impacts.
Documentation
ISO 27001 control A.5.27 Learning from information security incidents can be documented by writing:
- an Incident Management Procedure to define how to learn from incidents that have occurred
- a Procedure for Corrective Action to define how to learn from noncompliance situations
These procedures are not mandatory documents but are recommended for all companies.
Implementation
In order to comply with control A.5.27 Learning from information security incidents you might implement the following:
- Technology — the technology to enable learning from security events could include software, hardware, or networks. Smaller companies will probably be able to learn from features built-in their own existing systems (e.g., logs), whereas larger companies probably need some software to gather and analyze data to identify causes and potential solutions.
- Organization/processes — you should set up a process for how to gather and use the data from incidents to provide improvement insights, in terms of processes and/or technologies to be updated. You can document those processes through Incident Management Procedure, or Procedure for Corrective Action.
- People — make employees aware of why learning from security events is needed, and train them on how to apply learning tools and methods to security events information.
Audit evidence
During the audit, the auditor might look for the following evidence regarding control A.5.27 Learning from information security incidents: if information security is improved based on lessons learned from previous information security incidents.
