Annex A.16

1.            How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance, incidents related to SFTP server and SQL server should be forwarded to IT department, but our SaaS service issues should be forwarded to software development department.

Answer: ISO 27001 does not prescribe how to define roles and responsibilities, so organizations can adopt the approach that better fit their needs. For your stated scenario, defining roles and responsibilities considering which department handles which type of incident is an acceptable and effective approach.

To decrease complexity for users, you should consider defining unified channels of communication, i.e., all types of incidents would be reported through the same channels, and the person, or system, receiving them would evaluate to which department forward the reports.

For further information, see:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/

2. Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

Answer: Please note that an incident response plan is not required for ISO 27001. In case you want to write such a document, the usual practice for smaller companies is including all plans within one document, and for larger organizations each incident is covered in a separate incident response plan.