Skip to content
AuditFront
A.5.26 ISO 27001

ISO 27001 A.5.26: Response to information security incidents

What This Control Requires

Information security incidents shall be responded to in accordance with the documented procedures.

In Plain Language

Planning is covered by A.5.24. This control is about execution - when an incident is declared, you follow the plan. No improvising, no skipping steps, no relying on heroics from individual engineers. An effective response follows a clear sequence: contain the damage, investigate to understand what happened and how far it spread, eradicate the threat, recover to normal operations, and communicate with stakeholders throughout. Each step needs to happen in a coordinated, structured way that is proportionate to the severity. Documentation in real time is non-negotiable. Every action, decision, and piece of evidence needs to be recorded as it happens. You will need this for the post-incident review, for regulatory compliance (GDPR notification timelines start ticking), and potentially for legal proceedings.

How to Implement

When an incident is declared, activate the response plan. Assign an incident manager as the single point of coordination and accountability. Open a case in your incident tracking system and start logging everything. Contain first. Stop the bleeding - isolate affected systems, block malicious IPs, disable compromised accounts, segment the network. Distinguish between short-term containment (immediate emergency actions) and long-term containment (sustainable measures while you prepare eradication). Investigate in parallel with containment. Collect and preserve evidence following forensic best practices. Determine scope: what systems and data are affected, how the attacker got in, when the initial compromise occurred, and whether data has been exfiltrated. Use forensic tools appropriate to the incident type. Eradicate the root cause. Remove malware, patch the vulnerability that was exploited, reset compromised credentials, rebuild affected systems if necessary. Do not cut corners here - verify that all indicators of compromise have been addressed before moving on. Recover methodically. Verify restored systems are clean and functional before putting them back into production. Monitor closely for signs of re-compromise. Communicate realistic restoration timelines to stakeholders. Manage communications throughout. Keep management and affected teams informed internally. Externally, you may need to notify customers, partners, and regulators. GDPR Article 33 gives you 72 hours for supervisory authority notification. Use pre-drafted templates to save time under pressure.

Evidence Your Auditor Will Request

  • Incident response records showing documented handling of recent incidents
  • Evidence of containment actions taken during incidents
  • Forensic investigation reports or analysis documentation
  • Communication records showing stakeholder notifications during incidents
  • Incident tracking system showing the lifecycle of incidents from detection to closure

Common Mistakes

  • Incidents are handled ad hoc without following documented procedures
  • Incident response actions are not documented in real time
  • Containment is delayed because response procedures are unclear or unavailable
  • Evidence is not preserved properly during incident response
  • Regulatory notification obligations are not met within required timeframes

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC7.3 Equivalent
SOC 2 CC7.4 Related
GDPR Art.33 Related
GDPR Art.34 Related
NIS2 Art.23 Related

Frequently Asked Questions

What should be documented during incident response?
Everything, and in real time. Initial detection and how it was classified. Every response action with timestamps and who did it. Decisions made and why. Evidence collected with chain of custody. Communications sent. Impact assessment results. Containment, eradication, and recovery steps. External notifications. Use a standardised incident report template so nothing gets missed. If it is not documented, it did not happen - at least as far as auditors and regulators are concerned.
When should we involve law enforcement?
Consider it when the incident involves clear criminal activity (hacking, fraud, data theft), when regulation requires it, when you want to pursue prosecution, or when the scale is large enough to benefit from law enforcement resources. Talk to legal counsel first - always. Be aware that involving law enforcement may affect your control over the investigation timeline and what information becomes public. In the EU, some regulations (like NIS2) may require notifying national authorities regardless.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment