Cyber Security Awareness Month - Day 24 - A Standard for Information Security Incident Management - ISO 27035

Published: 2012-10-24
Last Updated: 2012-10-24 19:10:27 UTC
by Russ McRee (Version: 1)
2 comment(s)

Rob covered ISO 27005 in his 17 OCT diary, which covers information security risk management. I believe as handlers for the Internet Storm Center we'd be remiss in failing to cover an incident response standard for Cyber Security Awareness Month. ISO 27035 fits the bill perfectly.

ISO/IEC 27035:2011 provides a structured and planned approach to:
1) detect, report and assess information security incidents
2) respond to and manage information security incidents
3) detect, assess and manage information security vulnerabilities
4) continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities

This International Standard cancels and replaces 2004's ISO 18044.
In our Standard Operating Procedures, I provide direct pointers to ISO 27035 as well as NIST's SP 800-61 rev 2.
Aligning your security incident management program with these two documents lends well to meeting security incident management components for ISO and or PCI compliance. You'll definitely need to validate (with evidence) that your related activities meet muster for the audits, but with well written SOPs, documented processes, good case management, and regular drills and exercises (practice). Remember, actual incidents don't count as exercises. :-)  Conduct a drill-like activity on a quarterly basis if possible, report on it, and be sure to incorporate lessons learned.

"No battle plan survives contact with the enemy"...but you can definitely prepare.


Russ McRee | @holisticinfosec

2 comment(s)


You are still referring to the draft version of NIST SP 800-61 rev 2. The final version was released in August 2012 and can be found at
As Eisenhower said, "In preparing for battle, I have always found the plans are useless but planning is indispensable."

Diary Archives