A.5.24 / A.5.25 / A.5.26 / A.5.27 — Is incident management planned, with assessment, response and lessons-learned processes?
Demonstrate that a documented information security incident management process exists with defined planning, assessment, response, and lessons-learned phases supported by appropriate roles, procedures, and evidence of operational use.
Description
What this control does
This control requires organizations to establish a formal information security incident management program encompassing planning, defined roles and responsibilities, assessment procedures for determining incident severity and impact, coordinated response activities, and post-incident analysis to capture lessons learned. The program must include escalation paths, communication protocols, evidence preservation, and integration with business continuity and legal functions. Effective incident management reduces damage from security events, ensures regulatory compliance, and drives continuous improvement through retrospective analysis.
Control objective
What auditing this proves
Demonstrate that a documented information security incident management process exists with defined planning, assessment, response, and lessons-learned phases supported by appropriate roles, procedures, and evidence of operational use.
Associated risks
Risks this control addresses
- Delayed incident detection and response due to absence of clear assessment criteria and escalation procedures, increasing attacker dwell time and impact
- Inadequate evidence preservation and forensic handling leading to inability to prosecute attackers, determine root cause, or meet regulatory reporting obligations
- Uncoordinated response activities across technical, legal, communications, and business teams resulting in conflicting actions and reputational damage
- Repeated incidents from the same root cause due to failure to perform post-incident analysis and implement corrective actions
- Non-compliance with breach notification requirements under GDPR, HIPAA, PCI DSS or other regulations due to undefined incident classification and reporting timelines
- Loss of business continuity during major incidents due to lack of integration between incident response and disaster recovery procedures
- Unauthorized disclosure of incident details to media or third parties in absence of defined communication protocols
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's Information Security Incident Management Policy and supporting procedures covering planning, assessment, response, and lessons-learned phases
- Verify that incident classification criteria exist defining severity levels, escalation thresholds, and corresponding response timelines
- Review documented roles and responsibilities including incident response team composition, contact lists, and authority for decision-making during incidents
- Select a sample of 5-10 incidents from the past 12 months and examine incident records for evidence of assessment activities including impact analysis, severity classification, and affected asset identification
- Trace the same incident sample through response activities and verify evidence of containment actions, eradication measures, recovery steps, and stakeholder communications documented in ticketing or case management systems
- Review post-incident reports or lessons-learned documentation for the sampled incidents to confirm root cause analysis, control effectiveness evaluation, and identification of corrective actions
- Verify that identified corrective actions from previous incidents have been tracked to closure through change records, remediation tickets, or project documentation
- Conduct interviews with incident response team members to validate awareness of procedures, access to required tools and authority, and participation in recent tabletop exercises or simulations