Relationship with Other Standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 22301)

ISO/IEC 27035, the standard for information security incident management, does not stand alone; rather, it is part of a broader ecosystem of related standards that complement and support each other in enhancing organizational information security.

Understanding the relationship between ISO/IEC 27035 and other prominent standards like ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, and ISO/IEC 22301 is essential for organizations aiming to build a comprehensive and integrated security and continuity management framework.

Each standard plays a distinct yet interconnected role in managing risks, controls, incidents, and business resilience.

ISO/IEC 27001 – Information Security Management System (ISMS)

ISO/IEC 27001 is the cornerstone standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS. It provides the fundamental framework for managing sensitive information securely.

ISO/IEC 27035 aligns directly with ISO/IEC 27001 by detailing how to manage information security incidents that could threaten the ISMS, making incident management a critical part of information security governance.

The incident management processes prescribed in ISO 27035 support the risk treatment and control objectives defined in ISO 27001.

ISO/IEC 27002 – Code of Practice for Information Security Controls

While ISO/IEC 27001 defines what needs to be done to manage information security risks, ISO/IEC 27002 offers a detailed catalog of best practice security controls for implementation.

Incident detection and response controls are part of ISO/IEC 27002, which ISO/IEC 27035 practically utilizes by providing guidance on how to operationalize incident management controls effectively.

This relationship ensures the controls related to incident handling are applied in a structured manner.

ISO/IEC 27005 – Information Security Risk Management

ISO/IEC 27005 focuses exclusively on risk management related to information security. It provides methodologies for identifying, assessing, and treating information security risks.

ISO/IEC 27035 uses the outcomes of risk assessments and treatment plans from ISO/IEC 27005 to prioritize incidents and determine their impact on the organization.

Risk-informed incident management ensures resources are allocated efficiently and the response efforts align with organizational risk appetite.

ISO/IEC 22301 – Business Continuity Management System (BCMS)

ISO/IEC 22301 defines requirements for business continuity management, focusing on ensuring that critical business functions continue during and after disruptive incidents.

ISO/IEC 27035 complements ISO/IEC 22301 by focusing on the detection and response to information security incidents that may lead to business disruptions.

Effective incident management can trigger business continuity measures, making the integration of both standards crucial for organizational resilience.

Together, they support a holistic approach to managing both information security risks and operational continuity.