ISO/IEC 27035:2016 Information Technology, Security Techniques, and Information Security Incident Management

Status: Final Published

Date: September 2011, Version 1; November 2016, Revised Region: Global

Document: Link


ISO 27035 is a two-part standard developed by the ISO and the IEC, notably the ISO/IEC JTC 1/SC 27 Technical Committee on Information security, cybersecurity and privacy protection.
The first part tackles the basic principles of incident management and the second part provides guidelines to plan and prepare for incident response. Together, they form the basis for generic information security incident management that can be applied across all sectors to all organizations, regardless of type, size, or nature. They are available for purchase online in digital or paper copy.
The standards form part of the internationally regarded and adopted 27000 series on information security management, of which the primary standard is ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary.


The goal of the standard is to provide a framework for organizations to be able to:

  • Detect, report, and assess information security incidents
  • Respond to information security incidents, including the activation of appropriate controls to prevent, reduce, and recover from impacts
  • Report information on security vulnerabilities, so they can be assessed and dealt with appropriately
  • Learn from information security incidents and vulnerabilities, institute preventive controls, and make improvements to the overall approach to information security incident management.

The first part of the standard focuses on the basic concepts and principles, followed by a descriptive of the objectives of incident management, the benefits of a structured approach, and the adaptability required for implementation. Five phases are broken out and these include planning and preparing, detection and reporting, assessment and decision, responses, and lessons learned. This is the standard format used globally for incident management.

The second part is based on the planning and preparing phase, and the lessons learned phase of the first part of the standard. For the first phase, this includes the following:

  • Information security incident management policy and commitment of top management
  • Information security policies, including those related to risk management, updated at both corporate level and the system, service, and network levels
  • Information security incident management plan
  • Incident Response Team (IRT) establishment
  • Establish relationships and connections with internal and external organizations
  • Technical and other support (including organizational and operational support)
  • Information security incident management awareness briefings and training
  • Information security incident management plan testing

With regard to the lessons learned phase, the guidelines deal with identifying the lessons learned and making improvements on information security control implementation, risk assessment, management review results, and the incident management plan, as well as IRT evaluation.
The Annex includes legal and regulatory aspects to consider, as well as example reports, forms, and approaches that can be used.
Within the automotive industry, ISO 27035 is used as a foundation for developing an adapted incident response mechanism that can fit the needs of the industry. The Automotive Cybersecurity Incident Response Pocket Guide (Version 1.0) developed by the Automotive Quality Institute and Fraunhofer in Germany is one such example.


The standard is currently under review and will eventually be replaced with ISO/IEC WD 27035-1 Information Technology — Security Techniques — Information Security Incident Management — Part 1: Principles Of Incident Management and ISO/IEC WD 27035-2 Information Technology — Security Techniques — Information Security Incident Management — Part 2: Guidelines To Plan And Prepare For Incident Management.
Further, it is likely that ISO/SAE CD 21434 on Road Vehicles — Cybersecurity Engineering which is currently under development, will include specifics on incident management, using ISO 27035 as its foundation and adapting it to the automotive industry.

Learn how we bring peace of mind for millions of drivers