According to the business standards organization, the principles embodied in 27035:2011 will help organizations reduce the impact of IT security threats if they adopt the security incident management approach seen in the new standard.
The ISO said that security breaches can compromise your business systems, and cause disruption to business operations. Being prepared and responding in a timely and effective way, it added, can mean the difference between minor incident and a business disaster.
And this, the ISO said, is where an information security incident management system enables an organization to have the controls and procedures in place to manage a wide variety of security incidents and vulnerabilities.
ISO/IEC 27035:2011, the body continued, gives “how to” guidance on detecting, reporting and assessing information security incidents and vulnerabilities.
It will, noted the ISO, help businesses respond to information security incidents, including the activation of appropriate controls for the prevention and reduction of, and recovery from, impacts, and, in so doing, learn and improve their overall approach.
Edward Humphreys, whose team developed the original version of the standard – ISO/IEC TR 18044:2004 – said that effective and timely handling of major incidents can make the difference between the survival or ‘death’ of an organization.
“The new ISO/IEC 27035 standard provides tried and tested advice on the processes and methods that need to be deployed for ensuring effective management of information security incidents”, he explained.
“Incidents can vary from the minor, which may have an impact on an isolated business system to a major incident, which affects all business systems”, he said.
“Some incidents have the effect of disrupting an organization and the use of its business resources for 24–72 hours or more; some cause a serious loss and/or destruction of data; and some can leave the organization with a serious crime on their hands. ISO/IEC 27035:2011 offers a solution", he added.
Infosecurity notes that ISO/IEC 27035:2011 – which replaces technical report ISO/IEC TR 18044:2004 – supports the general concepts specified in ISO/IEC 27001:2005.
The new standard is applicable to any organization, irrespective of size. It covers a range of information security incidents, whether deliberate or accidental, and whether caused by technical or physical means.