Our company has a good incident response plan in place, however it's a requirement of the ISO27001 that we also have an incident management procedure? Do we need this in addition?
Assign topic to the user
ISO 27001 does not require an incident management procedure to be documented, so you only need to document one in case you have a legal requirement (e.g., law, regulation, or contract) demanding such procedure to be documented.
Only response plans require documentation, in case-control A.16.1.5 (Response to information security incidents) is stated as applicable in the Statement of Applicability.
Comment as guest or Sign in
Aug 10, 2022