12: Information Security Incident Management
This category focuses on ensuring a consistent and effective approach to managing information security incidents, including communication on security events and weaknesses. It involves planning, monitoring, and responding to incidents to minimize adverse impacts and ensure that lessons are learned to prevent future incidents.
Controls (A.16):
A.16.1.1: Responsibilities and Procedures
A.16.1.2: Reporting Information Security Events
A.16.1.3: Reporting Information Security Weaknesses
A.16.1.4: Assessment of and Decision on Information Security Events
A.16.1.5: Response to Information Security Incidents
A.16.1.6: Learning from Information Security Incidents
A.16.1.7: Collection of Evidence
Control A.16.1.1: Responsibilities and Procedures
Audit Questions:
Are there documented procedures for managing information security incidents?
Who is responsible for managing and responding to security incidents?
How are these responsibilities communicated?
Common Non-Conformities (NC):
Lack of documented incident management procedures.
Unclear or undefined responsibilities for incident management.
Inadequate communication of incident management responsibilities.
Control A.16.1.2: Reporting Information Security Events
Audit Questions:
Are there procedures for reporting information security events?
How are security events reported, and to whom?
Common Non-Conformities (NC):
No procedures for reporting security events.
Delays or failures in reporting security events.
Control A.16.1.3: Reporting Information Security Weaknesses
Audit Questions:
How are information security weaknesses reported?
Are there channels for employees to report weaknesses confidentially?
Common Non-Conformities (NC):
No procedures for reporting security weaknesses.
Employees unaware of reporting channels.
Control A.16.1.4: Assessment of and Decision on Information Security Events
Audit Questions:
How are security events assessed and decisions made regarding their handling?
Are there criteria for assessing the severity of events?
Common Non-Conformities (NC):
Inadequate assessment procedures for security events.
Lack of criteria for assessing event severity.
Control A.16.1.5: Response to Information Security Incidents
Audit Questions:
What are the procedures for responding to information security incidents?
How is the effectiveness of incident response measured?
Common Non-Conformities (NC):
No response procedures for security incidents.
Poor measurement of incident response effectiveness.
Control A.16.1.6: Learning from Information Security Incidents
Audit Questions:
Are there processes for learning from information security incidents?
How are lessons learned documented and communicated?
Common Non-Conformities (NC):
No processes for learning from incidents.
Lessons learned not documented or communicated.
Control A.16.1.7: Collection of Evidence
Audit Questions:
How is evidence collected and preserved during incident investigation?
Are there procedures to ensure evidence integrity?
Common Non-Conformities (NC):
Inadequate evidence collection procedures.
Lack of measures to ensure evidence integrity.
Last updated