ISO 27035 Incident Management: Complete Implementation Guide

ISO 27035 is the international standard for information security incident management published by the International Organization for Standardization. It defines a five-phase lifecycle for managing security incidents: Plan and Prepare, Detection and Reporting, Assessment and Decision, Responses, and Lessons Learned. For organizations pursuing ISO 27001 certification or operating across international jurisdictions, ISO 27035 provides the structured framework that auditors expect to see behind your incident response program.

What are the five phases of ISO 27035?

The ISO 27035 framework divides incident management into five sequential phases. Each phase has specific objectives, inputs, and outputs that create a continuous improvement cycle.

Unlike ad hoc incident response processes, ISO 27035 requires that each phase produces documented outputs that feed into the next phase. This documentation chain creates the audit trail that ISO 27001 auditors evaluate when assessing your incident management control.

How does ISO 27035 map to the three-part standard structure?

ISO 27035 is published in three parts, each addressing a different aspect of the incident management lifecycle. Understanding this structure helps organizations assign implementation responsibilities correctly.

ISO 27035-1 (Principles and process) provides the overarching framework, definitions, and the five-phase lifecycle. This is the part that executives and governance teams should understand. ISO 27035-2 (Planning and preparation) details the requirements for establishing an incident management capability, including team structures, communication plans, and technology requirements. ISO 27035-3 (Operations) covers the technical and procedural details of incident handling, evidence collection, and forensic readiness.

Most organizations begin with ISO 27035-1 to establish the management framework, then use ISO 27035-2 to build the capability, and finally implement ISO 27035-3 for operational procedures. CIRM platforms like IR-OS are designed to support all three parts within a single operating surface.

How does ISO 27035 support ISO 27001 certification?

ISO 27001 Annex A includes control A.16, which requires organizations to establish information security incident management capabilities. ISO 27035 provides the detailed implementation guidance that turns this control requirement into an operational program.

The connection between ISO 27035 and ISO 27001 extends beyond Annex A.16. Effective incident management supports risk assessment (Clause 6.1.2) by providing real-world data about threat frequencies and impact. It supports management review (Clause 9.3) by delivering incident metrics and trend analysis. And it drives continual improvement (Clause 10.1) through the lessons learned phase.

How do you implement ISO 27035 without a dedicated security team?

Many mid-market organizations lack a dedicated security operations center or a full-time incident response team. ISO 27035 can still be implemented effectively by adapting the framework to available resources.

The standard does not mandate a specific team size. It requires that roles and responsibilities are defined, that communication channels are established, and that procedures exist for each phase. A smaller organization might assign incident management responsibilities to existing IT staff, supplement with a managed security service provider (MSSP) for detection and technical response, and use a CIRM platform to coordinate the human decision-making that cannot be outsourced.

The incident command role structure provides a practical way to assign ISO 27035 responsibilities across a small team. Each role maps directly to ISO 27035 phase responsibilities, ensuring coverage without requiring dedicated headcount for each function.

For organizations considering external support, an incident response retainer can provide the specialized forensic and technical capabilities that ISO 27035-3 describes, while the internal team manages the coordination framework defined in ISO 27035-1 and 27035-2.

How does ISO 27035 compare to NIST SP 800-61?

Both ISO 27035 and NIST SP 800-61 provide incident response frameworks, but they differ in scope, audience, and integration points.

Organizations operating across international jurisdictions often implement both frameworks. ISO 27035 serves as the management-level framework that satisfies auditors and regulators outside the U.S., while NIST 800-61 provides the technical implementation detail. CISA's cybersecurity best practices also provide complementary guidance for building incident response capabilities.

What tools support ISO 27035 compliance?

Implementing ISO 27035 effectively requires tooling that supports the standard's documentation, communication, and continuous improvement requirements. Spreadsheets and wikis break down under the pressure of a real incident.

A CIRM platform supports ISO 27035 by providing structured workflows for each of the five phases, maintaining the documentation chain that auditors require, and generating the after-action reports that drive the lessons learned phase. The defensible record capability in IR-OS directly supports the evidence preservation requirements in ISO 27035-3.

The IR-OS glossary maps common incident response terminology to ISO 27035 definitions, helping teams maintain consistent language across their program. Consistent terminology is a specific requirement in ISO 27035-1 and a common audit finding when missing.

Frequently Asked Questions

Can we self-certify against ISO 27035?

ISO 27035 is not a certifiable standard. You cannot receive a certificate of compliance. However, you can declare alignment with the framework and use it as evidence supporting your ISO 27001 certification. The standard functions as implementation guidance rather than a certification target.

How often should we review our ISO 27035 implementation?

The standard recommends reviewing the incident management process after every significant incident and at planned intervals. Most organizations conduct formal reviews quarterly and trigger additional reviews after incidents that reveal process gaps. The lessons learned phase should feed directly into planning improvements for the next cycle.

Does ISO 27035 cover data breach notification?

ISO 27035-1 includes notification as part of the Response phase, but it does not prescribe specific notification timelines. Regulatory notification deadlines (GDPR 72 hours, SEC four business days, HIPAA 60 days) are defined by applicable laws, not by ISO standards. Your ISO 27035 implementation should incorporate the regulatory deadlines relevant to your jurisdiction.