Inverifi logo

ISO 27001 Controls: Handling Security Breaches

How to deal with them when to do when they do happen

ISO 27001 controls - handling security incidents illustration image

The purpose of ISO 27001 is to ensure good information security practices within an organisation.


When the standard is implemented correctly, it can prevent many security breaches from happening. However, this isn’t the only purpose of ISO 27001.


It is just as important to have a plan in place, detailing what to do if a security breach does happen, despite the measures taken to prevent it.


Having an appropriate plan in place to handle security breaches is a requirement of ISO 27001 annex A.16.


When you become aware of a security breach, the first thing you must do is disclose this to anyone who it affects.


If you lose your office keyfob, you must tell your boss. If your organisation’s HR records get breached, you must tell your employees. And yes, if customer data gets breached, you must tell your customers.


Informing your data subjects of a security breach is an unpleasant thought. It could damage your reputation, or even get you into legal trouble.


However, there are many reasons you should disclose the security breach.


Firstly, disclosing security breaches to those who need to know, is a requirement of ISO 27001. If you want to be truly compliant, this is one of the steps you must take.


Secondly, in many countries, you are legally required to disclose security breaches to those affected. This is true throughout the EU and in the UK, due to the GDPR (General Data Protection Regulation).


Finally, it is the right thing to do. If someone’s personal information gets breached, they deserve to know, so they have the opportunity to mitigate its effects.


You may not know everything about the security breach right away; that’s fine. Disclose what you know, and then disclose new information as you find it.


When a security breach happens, it’s important to try to find out why it happened. This can help prevent similar breaches from occurring.


Many things can cause a security breach.


Most often, a security breach is caused by an employee violating security policies. For example, they might reuse the same password for multiple online accounts.


A security breach can also be caused by a security flaw in a piece of software used by your organisation.


In any case, the cause of the breach should be documented, and steps should be taken to prevent similar breaches from happening in the future.

Preventive action

Once you have determined the cause of the security breach, you can take preventive action.


In this step, it is important to consider its purpose – to prevent similar security breaches from happening in the future.


If the breach was caused by an employee, you should review previous security incidents that involve them, when considering disciplinary action.


If this is the first occurrence of the employee in question causing a security breach, then, depending on its nature, a stern talking to may be enough to resolve the situation.


If the employee in question has a history of making mistakes and failing to learn from them, unfortunately, it might be necessary to let them go.

Audit trail

When a security breach occurs, it should be documented, along with all the steps taken to handle it.


You may wonder whether you really want to tell your auditor about security breaches that have occurred – the answer is yes.


If you fail to tell your auditor about a security breach, they may find out about the breach elsewhere, and you’d risk losing your certification.


On the other hand, if you tell your auditor about a security breach, this alone doesn’t necessarily mean they’ll revoke your certification.


Given proof that you handled a security breach correctly, a competent auditor will see this, not as a reason to revoke your ISO certification, but as a reason to let you keep it.

Final thoughts

We hope the subject of this blog entry is only useful to your organisation in a hypothetical sense.


That being said, if you’re faced with a security breach, it doesn’t necessarily have to put you out of business, as long as you handle it correctly.


Find the full list of ISO 27001 Controls in our resource section! 


More blogs you might like

Introducing Diagrams feature Image
Product Development
Sam Ryan

Introducing Diagrams

Introducing Diagrams A new way to visualise and connect your organisation’s process flows We are thrilled to announce the release of Diagrams, a brand new

Read More »