1、BS ISO/IEC 27035-2:2016 Information technology Security techniques Information security incident management Part 2: Guidelines to plan and prepare for incident response BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 27035-2:2016 BRITISH STANDARD National
2、 foreword The UK participation in its preparation was entrusted to Technical Committee IST/33/4, Security Controls and Services. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provision
3、s of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 80186 0 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published
4、under the authority of the Standards Policy and Strategy Committee on 30 November 2016. Amendments/corrigenda issued since publication Date Text affected This British Standard is the UK implementation of ISO/IEC 27035-2:2016. Together with BS ISO/IEC 27035-1:2016, it supersedes BS ISO/IEC 27035:2011
5、 which is withdrawn.BS ISO/IEC 27035-2:2016 Information technology Security techniques Information security incident management Part 2: Guidelines to plan and prepare for incident response Technologies de linformation Techniques de scurit Gestion des incidents de scurit de linformation Partie 2: Lig
6、nes directrices pour planifier et prparer une rponse aux incidents INTERNATIONAL STANDARD ISO/IEC 27035-2 Reference number ISO/IEC 27035-2:2016(E) First edition 2016-11-01 ISO/IEC 2016 BS ISO/IEC 27035-2:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in
7、Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can
8、be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27035-2:2016(E)BS ISO/IEC 27035-
9、2:2016ISO/IEC 27035-2:2016(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms, definitions and abbr e viat ed t erms 2 3.1 Terms and definitions . 2 3.2 Abbreviated terms . 2 4 Information security incident management policy . 3 4.1 General . 3 4.2 Involved parties 3 4.3 Info
10、rmation security incident management policy content 4 5 Updating of information security policies . 6 5.1 General . 6 5.2 Linking of policy documents . 6 6 Creating information security incident management plan . 6 6.1 General . 6 6.2 Information security incident management plan built on consensus.
11、 7 6.3 Involved parties 8 6.4 Information security incident management plan content 8 6.5 Incident classification scale 12 6.6 Incident forms 12 6.7 Processes and procedures 12 6.8 Trust and confidence 13 6.9 Handling confidential or sensitive information .14 7 Establishing an incident r esponse t e
12、am (IR T) .14 7.1 General 14 7.2 IRT types and roles .14 7.3 IRT staff 16 8 Establishing r elationships with other or g anizations 19 8.1 General 19 8.2 Relationship with other parts of the organization 19 8.3 Relationship with external interested parties 20 9 Defining t echnical and other support20
13、 9.1 General 20 9.2 Examples of technical support .22 9.3 Examples of other support 22 10 Creating information security incident awareness and training 22 11 Testing the information security incident management plan24 11.1 General 24 11.2 Exercise 24 11.2.1 Defining the goal of the exercise .24 11.2
14、.2 Defining the scope of an exercise .25 11.2.3 Conducting an exercise 25 11.3 Incident response capability monitoring 26 11.3.1 Implementing an incident response capability monitoring program .26 11.3.2 Metrics and governance of incident response capability monitoring 26 12 Lessons learned 27 12.1
15、General 27 12.2 Identifying the lessons learned27 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 27035-2:2016ISO/IEC 27035-2:2016(E)12.3 Identifying and making improvements to information security control implementation .28 12.4 Identifying and making improvements to information securi
16、ty risk assessment and management review results 28 12.5 Identifying and making improvements to the information security incident management plan 28 12.6 IRT evaluation .29 12.7 Other improvements .30 Annex A (informative) Legal and regulatory aspects .31 Annex B (informative) Ex ample information s
17、ecurity e v ent , incident and vulner ability reports and forms .34 Annex C (informative) Ex ample appr oaches t o the cat egorization and classification of information security events and incidents 46 Bibliogr aph y .57 iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27035-2:2016ISO/IEC 27035-2:2016(
18、E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through tec
19、hnical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take p
20、art in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different a
21、pproval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the su
22、bject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents)
23、. Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade O
24、rganization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques. This first edition of ISO/IEC 27035-2, together with ISO/IE
25、C 27035-1, cancels and replaces ISO/IEC 27035:2011, which has been technically revised. ISO/IEC 27035 consists of the following parts, under the general title Information technology Security techniques Information security incident management: Part 1: Principles of incident management Part 2: Guidel
26、ines to plan and prepare for incident response Further parts may follow. ISO/IEC 2016 All rights reserved vBS ISO/IEC 27035-2:2016ISO/IEC 27035-2:2016(E) Introduction ISO/IEC 27035 is an extension of ISO/IEC 27000 series of standards and it focuses on information security incident management which i
27、s identified in ISO/IEC 27000 as one of the critical success factor for the information security management system. There can be a large gap between an organizations plan for an incident and an organization knowing it is prepared for an incident. Therefore, this part of ISO/IEC 27035 addresses the d
28、evelopment of guidelines to increase the confidence of an organizations actual readiness to respond to an information security incident. This is achieved by addressing the policies and plans associated with incident management, as well as how to establish the incident response team and improve its p
29、erformance over time by adopting lessons learned and by evaluation.vi ISO/IEC 2016 All rights reservedBS ISO/IEC 27035-2:2016Information technology Security techniques Information security incident management Part 2: Guidelines to plan and prepare for incident response 1 Scope This part of ISO/IEC 2
30、7035 provides the guidelines to plan and prepare for incident response. The guidelines are based on the “Plan and Prepare” phase and the “Lessons Learned” phase of the “Information security incident management phases” model presented in ISO/IEC 27035-1. The major points within the “Plan and Prepare”
31、 phase include the following: information security incident management policy and commitment of top management; information security policies, including those relating to risk management, updated at both corporate level and system, service and network levels; information security incident management
32、 plan; incident response team (IRT) establishment; establish relationships and connections with internal and external organizations; technical and other support (including organizational and operational support); information security incident management awareness briefings and training; information
33、security incident management plan testing. The principles given in this part of ISO/IEC 27035 are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this part of ISO/IEC 27035 according to their type, size an
34、d nature of business in relation to the information security risk situation. This part of ISO/IEC 27035 is also applicable to external organizations providing information security incident management services. 2 Normative references The following documents, in whole or in part, are normatively refer
35、enced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology Security techniques Information secu
36、rity management systems Overview and vocabulary ISO/IEC 27035-1:2016, Information technology Security techniques Information security incident management Part 1: Principles of incident management INTERNATIONAL ST ANDARD ISO/IEC 27035-2:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 27035-2:201
37、6ISO/IEC 27035-2:2016(E) 3 T erms, d efinitions and abbr e viat ed t erms 3.1 T erms and definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27035-1 and the following apply. ISO and IEC maintain terminological databases for use in standardization
38、 at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO Online browsing platform: available at http:/ /www.iso.org/obp 3.1.1 users people or organizations that utilise services provided by the incident response team (IRT) Note 1 to entry: Users can be internal (
39、within the organization) or external (outside the organization). 3.2 A bbr e viat ed t erms CD compact disk CERT computer emergency response team, sometimes also referred as incident response team (IRT) or computer security response team (CSIRT) DNS domain name system DVD digital versatile disk ICMP
40、 internet control message protocol IDS intrusion detection system IPv4 internet protocol v4 IPv6 internet protocol v6 IRT incident response team ISP internet service provider PoC point of contact SMTP simple mail transfer protocol SSL secure sockets layer protocol TCP transmission control protocol T
41、LP traffic light protocol TLS transport layer security protocol UDP user datagram protocol WiFi wireless fidelity2 ISO/IEC 2016 All rights reservedBS ISO/IEC 27035-2:2016ISO/IEC 27035-2:2016(E) 4 Information security incident management policy 4.1 General NOTE Clause 4, in its entirety, links to ISO
42、/IEC 27035-1:2016, 5.2 a). An organization information security incident management policy should provide the formally documented principles and intentions used to direct decision-making and ensure consistent and appropriate implementation of processes, procedures, etc. with regard to this policy. A
43、ny information security incident management policy should be part of the information security strategy for an organization. It should also support the existing mission of its parent organization and be in line with already existing policies and procedures. An organization should implement an informa
44、tion security incident management policy that outlines the processes, responsible persons, authority and reporting lines (specifically the primary point of contact for reporting suspected incidents) when an information security incident occurs. The policy should be reviewed regularly to ensure it re
45、flects the latest organizational structure, processes, and technology that can affect incident response. The policy should also outline any awareness and training initiatives within the organization that is related to incident response (see Clause 10). An organization should document its policy for
46、managing information security events, incidents and vulnerabilities as a free-standing document, as part of its overall information security management system policy (see ISO/IEC 27001:2013, 5.2), or as part of its Information Security Policies (see ISO/IEC 27002:2013, 5.1.1). The size, structure an
47、d business nature of an organization and the extent of its information security incident management program are deciding factors in determining which of these options to adopt. An organization should direct its information security incident management policy at every person having legitimate access
48、to its information systems and related locations. Before the information security incident management policy is formulated, the organization should identify the following regarding its information security incident management: a) objectives; b) interested parties internally and externally; c) specif
49、ic incident types and vulnerabilities that need to be highlighted; d) any specific roles that need to be highlighted; e) benefits to the whole organization and to its departments. 4.2 Involved parties A successful information security incident management policy should be created and implemented as an enterprise-wide process. To that end, all stakeholders or their representatives should be involved in the development of the policy from the initia
