Inverifi logo


Annex A.16 -Information Security Incidents and Improvements

Get compliant with ISO:27001 – Annex A.16 and simplify compliance for your organisation.

Annex A.16 explains how to manage information security incidents and all requirements necessary for preventing and responding to security incidents. Information security incidents include: any action that threatens the security of operations or violates established policies. These threats may lead to damage or loss of property and information which will negatively impact day to day business.

A.16.1 – Management of information security incidents and improvements

 To ensure the implementation of a consistent and effective process that manages security incidents.

A.16.1.1 Responsibilities and procedures

To ensure that there is a procedure in place to detect system weaknesses and reduce the risk of any incidents. There should be monitoring, identification, analysis and reporting of any incidents relevant to information security. These procedures should be logged and managed. Competent and authorised personnel should handle these security issues, and any relevant external parties should be contacted.

A.16.1.2 Reporting information security events

To ensure that there is a clear and easy to follow procedure for employees or interested parties to report any security incidents to authorised staff as soon as possible. Both employees and management should be made aware of their responsibility to do this and how to achieve and maintain information security.

A.16.1.3 Reporting information security weaknesses

To ensure that employees are informed about how to deal with and report information security weaknesses to management. There should be a procedure in place for employees to follow. The system for reporting security weaknesses should be clear and easy to use.

A.16.1.4 Assessment of and decision on information security events

To ensure that any reported issues about security incidents and weaknesses are assessed and classified as such. The team can then decide on a plan to deal with resolving these issues. The resolution should have as little impact as possible on the organisation’s activities.

A.16.1.5 Response to information security incidents

To ensure that relevant reports of security weaknesses and incidents are responded to and resolved. The incident responder would be required to collect evidence of the incident, determine a root cause, log and verify that the data of the incident is stored in the system, and notify management and all interested parties. Any investigation should be performed after the incident, so that the cause can be determined.

A.16.1.6 Learning from information security incidents

To ensure that the incident analysis result will be used to learn more and improve information security, preventing repetition of the incident. Logs and evidence from the incidents can be later used in user awareness training for employees, to prevent them in the future.

A.16.1.7 Collection of evidence

To ensure the organisation defines, obtains, procures and retains information as documentation. This is performed in case a company needs to exercise criminal or civil action. Protocol for treating evidence should be established and followed. To strengthen the validity of the evidence, certifications and other credentials of applicable staff should be pursued.