Expert Advice Community

Guest

Annex A.16

  Quote
Guest
Guest user Created:   Jun 02, 2021 Last commented:   Jun 02, 2021

Annex A.16

Hello Support,

I am working onISO 27001 – Annex A.16: Information Security Incident Management in our organization.  

How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance incidents related to SFTP server and SQL server should be forwarded to IT department but our SaaS service issues should be forwarded to software development department.

Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 02, 2021

1.            How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance, incidents related to SFTP server and SQL server should be forwarded to IT department, but our SaaS service issues should be forwarded to software development department.

Answer: ISO 27001 does not prescribe how to define roles and responsibilities, so organizations can adopt the approach that better fit their needs. For your stated scenario, defining roles and responsibilities considering which department handles which type of incident is an acceptable and effective approach.

To decrease complexity for users, you should consider defining unified channels of communication, i.e., all types of incidents would be reported through the same channels, and the person, or system, receiving them would evaluate to which department forward the reports.

For further information, see:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/01academy/emy/ademy/my/blog/15/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/01academy/emy/ademy/my/blog/15/11/10/using-itil-to-implement-iso-27001-incident-management/t/

2. Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

Answer: Please note that an incident response plan is not required for ISO 27001. In case you want to write such a document, the usual practice for smaller companies is including all plans within one document, and for larger organizations each incident is covered in a separate incident response plan.

 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 02, 2021

Jun 02, 2021