According to ISO/IEC 27001:2022, clause 10.2.2, the organization shall define and apply an information security incident management process that includes the following activities:
reporting information security events and weaknesses;
assessing information security events and classifying them as information security incidents;
responding to information security incidents according to their classification;
learning from information security incidents, including identifying causes, taking corrective actions and preventive actions, and communicating the results and actions taken;
collecting evidence, where applicable.
The standard does not specify who should perform these activities, as long as they are done in a consistent and effective manner. Therefore, the organization may choose to conduct forensic investigation internally or by using external consultants, depending on its needs, resources, and capabilities. However, the organization should ensure that the external consultants are competent, trustworthy, and comply with the organization’s policies and procedures.
[: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements, clause 10.2.2; PECB ISO/IEC 27001 Lead Implementer Course, Module 10: Incident Management., ]
Submit