ISO IEC 27035:2011 pdf – Information technology一Security techniques一Information security incident management.
5.5 Establishment of the ISIRT
5.5.1 Introduction
The aim of establishing the ISIRT is to provide the organization with appropriate capability for assessing. responding to and learning from Information security incidents, and providing the necessary co-ordination. management, feedback and communication. An ISIRT contributes to the reduction in physical and monetary damage, as well as the reduction of the damage to the organizations reputation that is sometimes associated with information security incidents.
5.5.2 Members and structure
The sAze. structure and composition of an ISIRT should be appropriate for the size, structure, and the business nature of the organization. Although the ISIRT may constitute an isolated team or department. members may share other duties, which encourage the Input of members from a range of areas within the organization. An organization should evaluate if it requires a dedicated team, a virtual team, or a mix of the two. The number of rncidents and the activities performed by the ISIRT should guide the organization In this choice.
The ISIRT goes through different maturity stages and often adjustments to the organizational model are adopted based on the specific scenario faced by the organization. Whenever justified, it Is recommended to have a permanent team led by a senior manager Virtual lSlRTs teams may be led by a senior manager The senior manager should be supported by individuals who are specialized in particular topics, for example in handling malicious code attacks, which are called upon depending on the type of information security incident concerned Depending on the size, structure and business nature of an organization, a member may also fulfil more than one role within the ISIRT, The ISIRT may comprise individuals from different parts of the organization (e.g. business operations. CT. audit, human resources and marketing). This also applies to permanent ISIRTs; even in case of dedicated personnel, the ISIRT always requires support from other departments.
Team members should be accessle for contact, so the names and contact details of each member and their backup members should be available within the organization. The necessary details should be clearly indicated wi the information security incident management scheme documentation, including any procedural documents, and the reporting forms, but not in policy statements.
The ISIRT manager should usually have a separate line of reporting to senior management, separate from normal business operations. He/she should have delegated authority to make immediate decisions on how to deal with an incident, and should ensure that all ISIRT members have the required knowledge and skills levels. and that these continue to be maintained. The ISIRT manager should assign investigation of each incident to the most appropriate member of his/her team, with each incident assigned a named manager.
5.5.3 RelatIonship with other parts of the organizatIon
The ISIRT should have the responsibility for ensuring that incidents are resolved, and in this context the ISIRT manager and members of his/her team should have a degree of authority to take the necessary actions deemed appropriate in response to information security lncldents However, actions that may have adverse effects on the overall organization, either financially or in terms of reputation, should be agreed with senior management. For this reason, it is essential that the information security incident management policy and scheme details the appropriate authority to which the ISIRT manager reports serious information security incidents.
Procedures and responsibilities for dealing with the media should also be agreed with senior management and documented, These procedures should specify who in the organization deals with media inquiries, and how that part of the organization interacts with the ISIRT.