ISO IEC 27035-2-2023 PDF

Full title and description

ISO/IEC 27035-2:2023 — Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response. This part of the ISO/IEC 27035 series gives guidance on planning and preparing an organisation’s approach to information security incident response and on learning lessons from incident response activities; it is generic guidance intended to be adapted to organisations of any type, size or nature.

Abstract

This document provides guidelines for the “plan and prepare” and “learn lessons” phases of the information security incident management lifecycle as defined in ISO/IEC 27035-1. Major topics include establishing incident management policy and top‑management commitment, developing and testing incident management plans, forming and resourcing incident management/response teams, establishing internal and external relationships and support, awareness and training, and post‑incident evaluation and improvement. The guidance is applicable to organisations and to external service providers that perform incident management.

General information

• Status: Published
• Publication date: February 2023 (2023-02)
• Publisher: ISO/IEC (ISO and IEC), developed by ISO/IEC JTC 1/SC 27
• ICS / categories: 35.030 (IT security techniques)
• Edition / version: Edition 2 (2023)
• Number of pages: 53

Core bibliographic and status details from the ISO record for ISO/IEC 27035-2:2023.

Scope

The standard provides guidelines to plan and prepare for incident response and to capture and apply lessons learned after incidents. It covers establishing incident management policy and governance, integrating incident management with organisational risk and information security policies, developing and exercising incident management plans, establishing an Incident Management Team (IMT) and Incident Response Team (IRT) roles and responsibilities, arranging technical and operational support, and building internal and external relationships (legal, law enforcement, suppliers, customers, regulators and other stakeholders). The guidance is generic and intended for adaptation by organisations of all types and sizes, including external organisations providing incident management services.

Key topics and requirements

• Information security incident management policy and top‑management commitment.
• Alignment of incident management with organisational risk management and information security policies.
• Development, maintenance and testing of an information security incident management plan.
• Establishment, roles, responsibilities and resourcing of Incident Management Team (IMT) / Incident Response Team (IRT).
• Procedures for establishing internal and external communications and relationships (suppliers, customers, regulators, law enforcement, external responders).
• Technical, organizational and operational support requirements (tools, forensic handling, evidence preservation, communications channels).
• Awareness, training and exercising for incident response staff and wider organisation.
• Post‑incident review, lessons learned, corrective actions and continual improvement of incident response capabilities.
• Applicability to external service providers delivering incident management services.

Typical use and users

Primary users: information security managers, incident response teams (IRT/SOC personnel), IT operations and security operations centre (SOC) staff, CISOs, risk and compliance officers, business continuity planners, legal/compliance teams, and third‑party incident response service providers. Typical uses: to design or improve an organisation’s incident management policy and plan, to define team roles and responsibilities, to scope and exercise incident response capabilities, and to drive post‑incident reviews and improvements.

Related standards

ISO/IEC 27035-1:2023 (Principles and process) provides the foundational incident management model and terminology used by this part; ISO/IEC 27035-3 (Guidelines for ICT incident response operations) covers operational incident handling (detection, triage, analysis, containment, eradication, recovery); ISO/IEC 27035-4:2024 addresses coordination when multiple organisations cooperate on incident handling. Relevant management system standards include ISO/IEC 27001 (information security management system requirements) and ISO/IEC 27002 (controls guidance).

Keywords

information security, incident management, incident response, incident management plan, incident response team, lessons learned, SOC, IMT, IRT, incident coordination, ISO/IEC 27035

FAQ

Q: What is this standard?

A: ISO/IEC 27035-2:2023 is the second part of the ISO/IEC 27035 series that gives guidance on planning and preparing for information security incident response and on learning lessons from incidents.

Q: What does it cover?

A: It covers policy, governance, incident management planning and testing, team formation and resourcing, internal and external relationships and support, awareness and training, and post‑incident review and improvement. It addresses the “plan and prepare” and “learn lessons” phases of the incident management lifecycle.

Q: Who typically uses it?

A: Security leaders (CISOs), information security managers, SOC/IRT personnel, IT operations, risk and compliance teams, business continuity planners, legal teams and external incident response service providers use this guidance to establish or improve incident preparedness and post‑incident learning.

Q: Is it current or superseded?

A: ISO/IEC 27035-2:2023 is the current, published second edition (published February 2023). It superseded and caused withdrawal of the 2016 edition (ISO/IEC 27035-2:2016).

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27035 series (incident management). Key related parts are: Part 1 (principles and process), Part 3 (ICT incident response operations) and Part 4 (coordination). Organisations typically use Part 1 for the process model, Part 2 for planning/preparation and lessons learned, Part 3 for operational handling, and Part 4 when multi‑party coordination is required.

Q: What are the key keywords?

A: Incident response, incident management, IMT, IRT, SOC, lessons learned, incident plan, incident coordination, information security.