ISO 27035 — Information Security Incident Management: A Complete Implementation Guide

Quick Reference Box

Introduction

Even the most mature security programs experience incidents. The difference between an organization that contains a breach in hours and one that finds itself on the front page of the financial press is rarely the strength of preventive controls — it is the quality of the incident management capability. ISO/IEC 27035 is the international standard that codifies how to plan, detect, assess, respond to, and learn from information security incidents.

The standard is published as a multi-part series. Part 1 sets out the principles and process model. Part 2 provides detailed guidelines for planning and preparation. Part 3 addresses ICT incident response operations. Part 4 focuses on coordination. Together, they provide a complete blueprint for building a Computer Security Incident Response Team (CSIRT) capability that satisfies regulators, customers, and insurers alike.

This implementation guide is written for CISOs, SOC managers, security architects, and compliance officers who are building a new incident response function or maturing an existing one. We walk through every phase of the ISO 27035 model, translate the standard's requirements into actionable steps, and share lessons from real-world engagements. By the end, you will have a clear roadmap for documentation, tooling, training, and testing — and a defensible evidence trail for ISO 27001 audits, regulatory reporting (NIS2, DORA, GDPR), and board-level governance.

Scope & Application

ISO 27035 applies to any organization that handles information assets and may be subject to information security incidents — which is to say, every organization. The standard is sector-agnostic and scale-agnostic: a regional credit union and a global cloud provider both benefit from its structured approach, though the depth of implementation will differ.

The standard's primary uses are:

• Designing and operating a CSIRT/SOC: providing the framework for team structure, processes, and tooling.
• Satisfying ISO 27001 Annex A controls: particularly A.5.24–A.5.30 covering information security incident management, evidence collection, and ICT readiness for business continuity.
• Meeting regulatory incident reporting obligations: NIS2 (24/72-hour reporting), DORA (financial-sector ICT incidents), GDPR (72-hour data breach notification), HIPAA, PCI DSS, and sector-specific regimes.
• Supporting cyber insurance requirements: insurers increasingly demand evidence of incident response capability before underwriting.
• Enabling third-party assurance: customers and supply-chain partners conduct incident readiness due diligence.

ISO 27035 is complementary to other frameworks rather than competing with them. Many organizations adopt NIST SP 800-61 for tactical playbooks, MITRE ATT&CK for adversary modeling, and ENISA CSIRT guidance for European context — all wrapped within an ISO 27035 governance shell. The standard is also closely aligned with ISO 22301 (business continuity) for major incidents that escalate into crisis events.

Importantly, ISO 27035 distinguishes between events, incidents, and vulnerabilities. An event is any observable occurrence; an incident is one or more events that have a significant probability of compromising business operations and threatening information security. This distinction matters: triage discipline depends on it.

Key Requirements / Core Concepts

ISO 27035 organizes incident management around a five-phase lifecycle, supported by governance, training, and continuous improvement.

Phase 1: Plan and Prepare

The foundation of incident management is preparation. Required elements include:

• Information security incident management policy, approved by executive leadership.
• Incident response plan and playbooks for top scenarios (ransomware, data breach, DDoS, insider threat, third-party compromise).
• CSIRT charter defining mandate, authority, scope, and escalation.
• Roles and responsibilities matrix (RACI), including legal, HR, communications, and executive stakeholders.
• Tooling: SIEM, EDR, ticketing, secure communications, forensic acquisition, threat intelligence.
• Awareness and training for general staff and specialized CSIRT members.

Phase 2: Detection and Reporting

Effective detection blends technical telemetry (SIEM correlation, EDR alerts, network monitoring, threat intelligence feeds) with human reporting channels (a phishing-report button, a dedicated hotline, a clear internal URL). The standard emphasizes multiple, redundant reporting paths so that reporters never have a reason not to report.

Phase 3: Assessment and Decision

Each reported event undergoes triage to determine whether it constitutes an incident, its severity, and its category. ISO 27035 recommends a two-tier classification — initial triage by SOC analysts, followed by escalation to senior responders for high-severity cases. Classification taxonomies should align with NIS2 reporting categories where applicable.

Phase 4: Responses

Response activities include containment, eradication, recovery, and communication. The standard requires:

• Containment strategies (short-term and long-term) preserving evidence.
• Forensic-grade evidence handling with chain-of-custody documentation.
• Stakeholder communications — internal, customer, regulator, law enforcement, public.
• Recovery validation before declaring closure.

Phase 5: Lessons Learned

Every incident — and every significant near-miss — must trigger a post-incident review. Outputs feed back into policy, controls, training, and the risk register.

Approach

A pragmatic ISO 27035 implementation follows six structured phases, each producing concrete deliverables that auditors and executives can review.

Phase 1: Governance Foundation

Secure executive sponsorship and publish the Information Security Incident Management Policy. Establish the CSIRT charter, mandate, and authority. Define the incident classification taxonomy and severity matrix. This phase typically takes 3–4 weeks.

Phase 2: Process and Playbook Development

Document the end-to-end incident lifecycle process. Develop targeted playbooks for the top 6–10 incident scenarios specific to your threat landscape. Each playbook should include detection signals, containment options, communication templates, and decision trees.

Phase 3: Tooling and Telemetry

Deploy or tune the technology stack: SIEM use cases, EDR coverage, log centralization, ticketing workflow, secure out-of-band communications, and forensic toolkit. Validate that detection coverage maps to MITRE ATT&CK techniques relevant to your environment.

Phase 4: Team Build and Training

Recruit, contract, or up-skill the CSIRT. Define on-call rotations. Deliver role-based training: general awareness for all staff, advanced response training for the core team, executive briefings for leadership.

Phase 5: Exercise and Validate

Run tabletop exercises quarterly and technical simulations / purple team exercises annually. Document gaps and feed corrective actions into the improvement backlog.

Phase 6: Operate and Improve

Move into steady-state operation with KPIs: mean time to detect (MTTD), mean time to respond (MTTR), playbook coverage, exercise completion. Feed metrics into management review.

Implementation Roadmap

Certification / Completion Process

ISO 27035 is not directly certifiable, but it underpins ISO 27001 certification and several specialist credentials.

Organizational Path

Implementation maturity is demonstrated through:

• ISO 27001 audit evidence — auditors examine the policy, playbooks, training records, exercise reports, and incident logs.
• Regulatory inspection readiness — NIS2, DORA, and GDPR supervisory authorities increasingly review incident management capability.
• CSIRT accreditation — frameworks such as TF-CSIRT Trusted Introducer, FIRST membership, or CREST CSIR provide formal external validation of CSIRT maturity.

Individual Certification Path

Practitioners can pursue:

• ISO/IEC 27035 Lead Incident Manager (PECB, others) — typically a 5-day course with examination
• GIAC Certified Incident Handler (GCIH)
• CREST Certified Incident Manager (CCIM)
• EC-Council Certified Incident Handler (ECIH)

These credentials cover the ISO 27035 framework, technical response skills, evidence handling, and communications. Recertification is typically every three years through CPD or re-examination.

Common Challenges & Solutions

1. Detection coverage gaps - Problem: SIEM rules look healthy on paper but miss real-world adversary techniques. - Solution: Map detection use cases to MITRE ATT&CK and run purple-team exercises to validate coverage empirically. - Outcome: Quantified, defensible detection posture and a prioritized gap remediation backlog.

2. Slow regulatory notification - Problem: Legal and security teams debate notification language while the 72-hour clock ticks. - Solution: Pre-approved notification templates, pre-engaged outside counsel, and a delegated decision authority for the CISO. - Outcome: Notifications submitted within statutory deadlines, reducing fines and reputational risk.

3. Inconsistent severity classification - Problem: Identical incidents are scored differently across analysts, distorting metrics and prioritization. - Solution: Publish a detailed severity matrix with worked examples and require dual review for High/Critical classifications. - Outcome: Reliable metrics, defensible escalation, and trustworthy executive reporting.

4. Forensic evidence integrity failures - Problem: Responders inadvertently destroy evidence during containment, jeopardizing later investigation or litigation. - Solution: Train all CSIRT members in evidence handling; deploy forensic acquisition toolkits; document chain of custody from first contact. - Outcome: Evidence admissible in legal and regulatory proceedings.

5. Lessons learned never implemented - Problem: Post-incident reports gather dust; the same root causes recur. - Solution: Convert each lesson into a tracked action with owner, deadline, and management-review reporting. Audit closure quarterly. - Outcome: Demonstrable maturity progression and reduced incident recurrence.

Benefits

A mature ISO 27035 capability shrinks dwell time, contains blast radius, and produces a defensible response narrative for regulators, customers, and the board. Industry data consistently shows that organizations with formal incident response programs experience materially lower breach costs — IBM's annual Cost of a Data Breach report routinely identifies incident response readiness as one of the top cost-reducing factors.

Beyond breach economics, structured incident management drives operational discipline. Detection coverage improves because gaps are surfaced through exercises. Communication improves because templates and authority are pre-defined. Stakeholder trust improves because the organization can demonstrate — with evidence — how it would respond to a major event.

Benefits Matrix

🎯 Key Takeaway Infographic

ISO 27035 LIFECYCLE
┌────────────────────────────────────────┐
│  1. PLAN & PREPARE                     │
│        ↓                               │
│  2. DETECT & REPORT                    │
│        ↓                               │
│  3. ASSESS & DECIDE                    │
│        ↓                               │
│  4. RESPOND (Contain · Eradicate ·     │
│             Recover · Communicate)     │
│        ↓                               │
│  5. LEARN & IMPROVE                    │
│        ↺                               │
│  Goal: Faster MTTD · Lower MTTR        │
└────────────────────────────────────────┘

Tools & Resources

A modern incident response capability rests on a layered toolset. SIEM platforms (Splunk, Microsoft Sentinel, Elastic, Sumo Logic) provide correlation and search. EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) deliver endpoint visibility and response. SOAR (Splunk SOAR, Tines, Palo Alto Cortex XSOAR) automates playbook execution. Threat intelligence platforms (Recorded Future, Mandiant Advantage, MISP for open source) feed contextual data.

For investigation, forensic acquisition tools (Velociraptor, KAPE, FTK Imager) and memory analysis (Volatility) are essential. Secure out-of-band communications (Signal, dedicated phone lists, WhatsApp closed groups) ensure responders can coordinate even if primary corporate channels are compromised.

Authoritative reference resources include:

• ISO/IEC 27035 Parts 1–4 (the standards themselves)
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• ENISA Good Practice Guide for Incident Management
• MITRE ATT&CK and D3FEND
• FIRST CSIRT Services Framework
• SANS Incident Handler's Handbook

ISO Xpert provides accredited ISO 27035 Lead Incident Manager training, tabletop exercise facilitation, and CSIRT maturity assessments.

Case Study

A regional healthcare provider with 4,200 staff and 11 hospital sites had a fragmented incident response capability — three separate IT teams, no unified playbook, and no executive-level escalation criteria. A precursor incident (a contained ransomware attempt) revealed that decision-making during pressure was ad-hoc and that regulators would have been notified late.

Engaging ISO Xpert, the organization adopted the ISO 27035 framework over a 14-week program. A central CSIRT was established with a clear charter and 24/7 on-call rotation supported by a managed-detection partner. Eight playbooks were developed, prioritizing ransomware, patient-data breach, medical-device compromise, and supplier outage. Pre-approved GDPR Article 33 notification templates were drafted with legal counsel.

A full-scale technical simulation was conducted — a simulated ransomware event spanning detection, containment, executive briefing, and external communication. The exercise revealed three critical gaps: insufficient backup isolation, missing executive decision authority for system shutdown, and unclear coordination with the national CSIRT. All three were closed within 60 days.

Outcome: MTTD reduced from 14 hours to 38 minutes, MTTR from 6 days to 22 hours. The organization passed its ISO 27001 surveillance audit with no incident-management findings and reduced cyber insurance premiums by 22 percent.

Conclusion

ISO 27035 turns incident response from improvisation into engineering. It provides the framework, language, and rigor that regulators, executives, and customers now expect — and that modern threats demand. Whether your organization is standing up its first CSIRT, preparing for NIS2 or DORA scrutiny, or seeking to mature an existing capability ahead of ISO 27001 certification, the standard's five-phase lifecycle is the proven path.

Implementation is achievable in three to six months for most organizations, with continuous improvement extending indefinitely. The key is to start with clear governance, build pragmatic playbooks, exercise relentlessly, and feed lessons back into the program.

Engage ISO Xpert's certified incident management consultants for a tailored CSIRT maturity assessment, playbook development workshop, or accredited ISO 27035 Lead Incident Manager training. Visit iso-xpert.com to schedule a consultation and download our complimentary Incident Response Plan template.

FAQ

Q1. Is ISO 27035 certifiable for organizations? Not directly. Compliance is demonstrated through ISO 27001 certification, regulatory inspection, or CSIRT accreditation programs.

Q2. How does ISO 27035 relate to NIST SP 800-61? Both describe an incident lifecycle. ISO 27035 is broader and governance-focused; NIST 800-61 is more tactical and U.S.-oriented. They are highly compatible.

Q3. What is the difference between an event and an incident? An event is any observable occurrence; an incident is an event (or series) that significantly threatens information security or business operations.

Q4. How often should we run tabletop exercises? At minimum quarterly for the CSIRT, annually for the executive team, and on every material change.

Q5. Do we need a 24/7 SOC? Not necessarily — many organizations use managed detection and response (MDR) partners for off-hours coverage. ISO 27035 requires capability, not specifically in-house staffing.

Q6. What incident metrics matter most? MTTD (mean time to detect), MTTR (mean time to respond), playbook coverage, exercise completion, and lesson-learned closure rates.

Q7. How does ISO 27035 align with NIS2 and DORA? The standard's structured detection, classification, and notification flow directly supports the 24-hour and 72-hour reporting deadlines mandated by these regulations.

Q8. Should playbooks be automated? Where possible. SOAR-based automation accelerates response for high-frequency scenarios while preserving human judgment for complex cases.

Q9. Who should lead the CSIRT? A senior security professional reporting to the CISO, with cross-functional authority spanning IT, legal, communications, and executive stakeholders.

Q10. How do we justify investment to the board? Translate breach-cost avoidance, regulatory fine avoidance, insurance premium reduction, and customer-trust metrics into financial terms — IBM's Cost of a Data Breach report is a useful benchmark.

Glossary

• CSIRT: Computer Security Incident Response Team.
• Containment: Action to limit the scope of an incident.
• Dwell Time: Period between intrusion and detection.
• EDR: Endpoint Detection and Response.
• Eradication: Removal of attacker presence.
• Event: Observable occurrence in a system.
• Forensics: Evidence-grade investigation of an incident.
• Incident: An event significantly threatening information security.
• MTTD: Mean Time to Detect.
• MTTR: Mean Time to Respond/Recover.
• Playbook: Pre-defined response procedure for a scenario.
• Recovery: Restoration of normal operations.
• SIEM: Security Information and Event Management.
• SOAR: Security Orchestration, Automation, and Response.
• Tabletop Exercise: Discussion-based simulation of an incident scenario.

References & Further Reading

• ISO/IEC 27035-1:2023 — Principles and process
• ISO/IEC 27035-2:2023 — Guidelines to plan and prepare
• ISO/IEC 27035-3:2020 — Guidelines for ICT incident response
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• ENISA — Good Practice Guide for Incident Management
• FIRST — CSIRT Services Framework
• MITRE ATT&CK and D3FEND knowledge bases
• IBM — Cost of a Data Breach Report (annual)

Author Bio

Written by ISO Xpert Consultants — a team of certified ISMS Lead Auditors, Incident Managers, and senior CSIRT practitioners supporting global organizations on their certification and compliance journeys. Visit iso-xpert.com to learn more.

Related Articles

1. ISO 27001 Implementation Guide: Building a Compliant ISMS
2. ISO 27005 — Information Security Risk Management Guide
3. NIS2 Directive Compliance — A Practical Roadmap
4. Building a Modern Security Operations Center (SOC)
5. ISO 22301 — Business Continuity Management Implementation Guide

Share This Article

Found this useful? Share it with your network: