ISO/IEC 27035 - International Incident Management Standard

ISO/IEC 27035 is the international standard for information security incident management, published by ISO and IEC jointly. The standard is split into three parts: 27035-1:2023 (Principles and process), 27035-2:2023 (Guidelines to plan and prepare for incident response), and 27035-3:2020 (Guidelines for ICT incident response operations). It is the most commonly referenced IR standard outside the United States and is required for organizations seeking ISO/IEC 27001 certification.

The Five-Phase ISO 27035 Process

ISO/IEC 27035-1:2023 defines a five-phase information security incident management process:

1. Plan and Prepare: policy, roles, awareness, infrastructure
2. Detect and Report: incident detection, initial reporting
3. Assess and Decide: triage, classification, decision to invoke response
4. Respond: containment, eradication, recovery
5. Learn Lessons: review, improvement, knowledge sharing

ISO 27035 vs NIST 800-61

The two standards are similar in spirit. NIST 800-61 Rev. 3 has six phases, ISO 27035 has five (with Containment, Eradication, and Recovery rolled into "Respond"). NIST is more prescriptive and operationally detailed; ISO is more outcome-oriented and easier to certify against. Most mature organizations align to one as primary and use the other for gap-checking.

Relationship to ISO/IEC 27001 and 27002

ISO/IEC 27001 (the management system standard) requires organizations to manage information security incidents, with controls catalogued in ISO/IEC 27002 (Annex 5.24 through 5.28). ISO/IEC 27035 provides the detailed implementation guidance for those controls. Auditors against 27001 frequently reference 27035 as the expected implementation pattern.