Information Security Incident Management Standard under Revision

Hi, it's Masaki Kubo. I’ve just returned from my trip to Incheon, Korea, where we had an ISO/IEC JTC 1/SC 27 meeting on standardization of IT security techniques. JPCERT/CC has been engaged in this standardization effort through the Japanese national body over the past years, and I participated particularly in the revision work of ISO/IEC 27035:2011 on information security incident management.

ISO/IEC 27035:2011 was published in 2011 and right after its publication, it was called for the so-called "early revision" [1]. Now the experts have divided the document into 3 parts for review:

- 27035 Part 1:
    Principles of incident management

- 27035 Part 2:
    Guidelines to plan and prepare for incident response

- 27035 Part 3:
    Guidelines for incident response operations

All 3 parts are now in the 3rd Working Draft (WD) stage, and it was just agreed to go into the 4th stage. Since the WD documents are not official ISO documents yet, we still have the right to propose amendments to them. If the documents pass the 4th WD stage, they will then be proceeded to the 1st Committee Draft (CD) [2].

27035 Part 1 inherits most of the text from the published standard 27035:2011 and is summarized to address only the principles: what is incident management, what steps should be taken to prepare for incidents and to respond to them, etc. Because this part gives the overall structure for 27035 Part 2 and 3, it should be well elaborated, and in this sense, I think it has achieved good maturity for the 3rd WD stage. Incident management phases mentioned in 27035 Part 1 include the following 6 phases:

    - Plan and Prepare
    - Detection and Reporting
    - Assessment and Decision
    - Responses
    - Post Incident Activity
    - Lessons Learnt

27035 Part 2 gives guidelines to prepare for incidents. Japan contributed several comments to restructure the overall document, which were well accepted by the editor. Now the structure of Part 2 is in sync with the incident management phases referred to in Part 1. Topics covered in this part include:

    - Establishing information security incident management policy
    - Creating information security incident management scheme.
    - Establishing an Incident Response Team (IRT)
    - Defining technical and other support
    - Creating information security incident awareness and training
    - Testing the information security incident management scheme
    - Lessons Learnt

Although the structure of the document is getting in better shape, it requires more body text, thus we are seeking for more contribution from the national bodies.

27035 Part 3 gives a guideline for incident handling operations. This is an operational guideline and the current discussion may not be neutral enough for an ISO document. Also, it still lacks the structure that draws ease of comprehension. However, the overall text is improving and I hope it will settle better before we move on to the CD stage.

There already exists several best practice guides on incident management, and you may question why another one from ISO. One way to answer is we have standardization projects in SC 27/WG 4 around incidents such as digital forensics, data storage security, SIEM, etc., and cannot omit incident management. Another way to answer is there are people who wish to refer to neutral, standardized guidelines, and ISO is the place to offer them.

JPCERT/CC wishes to continue making contribution to this project, so that the standardization will be in consistency with the practice of the CSIRT community.

Last but not least, FIRST (Forum of Incident Response and Security Teams) has also established a liaison relationship with ISO/IEC JTC 1/SC 27. If you are a FIRST Member and would like to contribute to this project, please visit FIRST’s website on ISO Activities for further information. Even if you are not a FIRST Member, there are several ways you can submit your comments to ISO:

- Your organization may have a person who is already involved in the standardization effort so you can work with that person.

- You can work with your national standardization body.

Whichever avenue you choose to use, your contribution will be much appreciated.

- Masaki Kubo

[1] According to the standard procedure, all international standards are reviewed at least every five years.

[2] After going through the CD, the documents will go to the Draft International Standard (DIS) stage, and then to the Final Draft International Standard (FDIS) stage, which then finally become issued as official ISO documents.