ISO 27001 Annex A 5.26

Response is what people see - the rest of the management system enables it.

ISO 27001 Annex A 5.26 - Response to Information Security Incidents

This is the operational control. The plan exists from Annex A 5.24, the triage criteria are in place from Annex A 5.25, and now an incident has been declared. The response runs through containment, investigation, recovery and communication, all in accordance with the documented procedures.

Containment comes first. Stop the spread, preserve evidence, limit further damage. Investigation establishes the scope - what was affected, what data was at risk, how the incident happened. Recovery restores normal operations safely, which often means more than just turning systems back on. Communication runs in parallel - to senior management, to affected parties where required, to regulators where notification thresholds are met.

Throughout the response, decisions and actions need to be recorded. The record serves three purposes - it supports good decision-making during the incident itself, it provides the basis for any subsequent regulatory or contractual notifications, and it forms the input to the post-incident review.

The principle we work to is contain first, investigate second. If something is actively going on, the priority is to stop it and preserve the evidence rather than trying to understand the full picture before doing anything. Understanding can come once the bleeding has stopped.

The other principle is communicate up early. Senior management does not want to be told three days into an incident. We brief upwards as soon as the incident is declared and at defined intervals during the response.

Practical Compliance Guidance

Incident response runs from the procedures described in the IMS1 manual at section 8.2. The incident form holds the working record from declaration through to closure.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-Q109 Information Security Incident	The incident record form used through the response. Capture containment actions, investigation findings, recovery steps, communications sent and decisions made, with timestamps and named decision-makers.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

When does an incident need to be reported to the ICO?

Where the incident involves a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, UK GDPR requires notification to the ICO within 72 hours of becoming aware. Where the breach is likely to result in high risk to individuals, those individuals must also be informed without undue delay.

What evidence should be preserved during an incident?

System logs, affected files, network capture where appropriate, copies of suspect emails or messages, and a contemporaneous record of the actions taken. Where there is potential for legal proceedings, evidence handling should follow forensic principles. Annex A 5.28 covers evidence collection in more detail.

Who has authority to communicate externally during an incident?

External communication authority should be vested in a small named group, typically the Information Security Lead, a senior management contact and where applicable a communications or legal representative. Other staff should not communicate externally about the incident without authorisation. The plan should make this explicit.

Further Resources