ISO 27001 A.5.26: Response to information security incidents
What This Control Requires
Information security incidents shall be responded to in accordance with the documented procedures.
In Plain Language
Planning is covered by A.5.24. This control is about execution - when an incident is declared, you follow the plan. No improvising, no skipping steps, no relying on heroics from individual engineers.
An effective response follows a clear sequence: contain the damage, investigate to understand what happened and how far it spread, eradicate the threat, recover to normal operations, and communicate with stakeholders throughout. Each step needs to happen in a coordinated, structured way that is proportionate to the severity.
Documentation in real time is non-negotiable. Every action, decision, and piece of evidence needs to be recorded as it happens. You will need this for the post-incident review, for regulatory compliance (GDPR notification timelines start ticking), and potentially for legal proceedings.
How to Implement
When an incident is declared, activate the response plan. Assign an incident manager as the single point of coordination and accountability. Open a case in your incident tracking system and start logging everything.
Contain first. Stop the bleeding - isolate affected systems, block malicious IPs, disable compromised accounts, segment the network. Distinguish between short-term containment (immediate emergency actions) and long-term containment (sustainable measures while you prepare eradication).
Investigate in parallel with containment. Collect and preserve evidence following forensic best practices. Determine scope: what systems and data are affected, how the attacker got in, when the initial compromise occurred, and whether data has been exfiltrated. Use forensic tools appropriate to the incident type.
Eradicate the root cause. Remove malware, patch the vulnerability that was exploited, reset compromised credentials, rebuild affected systems if necessary. Do not cut corners here - verify that all indicators of compromise have been addressed before moving on.
Recover methodically. Verify restored systems are clean and functional before putting them back into production. Monitor closely for signs of re-compromise. Communicate realistic restoration timelines to stakeholders.
Manage communications throughout. Keep management and affected teams informed internally. Externally, you may need to notify customers, partners, and regulators. GDPR Article 33 gives you 72 hours for supervisory authority notification. Use pre-drafted templates to save time under pressure.
Evidence Your Auditor Will Request
- Incident response records showing documented handling of recent incidents
- Evidence of containment actions taken during incidents
- Forensic investigation reports or analysis documentation
- Communication records showing stakeholder notifications during incidents
- Incident tracking system showing the lifecycle of incidents from detection to closure
Common Mistakes
- Incidents are handled ad hoc without following documented procedures
- Incident response actions are not documented in real time
- Containment is delayed because response procedures are unclear or unavailable
- Evidence is not preserved properly during incident response
- Regulatory notification obligations are not met within required timeframes
Related Controls Across Frameworks
Frequently Asked Questions
What should be documented during incident response?
When should we involve law enforcement?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment