ISO/IEC 27035
incident management standard for security operations and GRC teams

ISO/IEC 27035 explained for security operations and GRC teams

ISO/IEC 27035 (Information technology, Security techniques, Information security incident management) is the international standard for the discipline of information security incident management as operated inside an information security management system. It is published in three parts: Part 1 names the principles and the five-phase cycle, Part 2 covers planning and preparation, and Part 3 covers ICT incident response operations once an incident is in flight. The standard is the operational reference behind the policy and control discipline that ISO/IEC 27001 names in Annex A 5.24 through 5.30, and it pairs with the vulnerability-handling and disclosure standards ISO/IEC 30111 and ISO/IEC 29147 to form the international incident-and-disclosure trio.

For internal security teams running the live response, security operations leaders accountable for incident outcomes, GRC and compliance teams producing the audit pack, and CISOs at organisations read against by ISO 27001 certification bodies, NIS2 competent authorities, DORA financial-sector regulators, the SEC, sector regulators, customers, and cyber insurance carriers, ISO/IEC 27035 is the operating reference the discipline reads against. The standard is the international anchor that NIS2 Article 21 and 23, DORA Articles 19 and 20, the SEC cybersecurity disclosure rule, PCI DSS Requirement 12.10, HIPAA 45 CFR 164.308(a)(6), SOC 2 CC7.3 through CC7.5 and CC9.1, and NIST SP 800-61 all read against on the operating-discipline side, even where the named regulator or framework does not cite ISO/IEC 27035 by number.

This page walks through the scope of the standard, the five phases of the incident management cycle, the operating-record artefacts the standard expects, the failure modes the standard surfaces, the relationship with adjacent regimes, the audit-grade evidence pack the programme produces, and where ISO/IEC 27035 sits alongside the incident response operating workflow, the breach notification and regulator readiness workflow, the incident response plan guide, the incident response tabletop exercise guide, and the ransomware readiness programme guide. Programmes that adopt ISO/IEC 27035 as the incident management reference, ISO/IEC 30111 as the vulnerability handling reference, and ISO/IEC 29147 as the disclosure reference produce a coherent operating posture that holds up under ISO 27001, NIS2, DORA, SOC 2, PCI DSS, HIPAA, SEC, and audit-committee scrutiny on one record.

What ISO/IEC 27035 covers

The standard is the international anchor for the operating discipline of security incident management. It is broader than a single response procedure and narrower than the full ISMS; the boundary is the incident lifecycle, from planning and preparation through detection, assessment, response, and lessons learned. Read sequentially across the three parts, the standard answers the question of how an organisation operates incident management as a programme rather than as a one-off plan.

The five phases of the incident management cycle

ISO/IEC 27035 names a five-phase incident management cycle. The phases are not separate processes; they are stages on the same incident record, each with named outputs the next phase reads against. Plan and prepare produces the policy and the readiness; detection and reporting produces the structured intake; assessment and decision produces the classification and severity; response produces the technical, communications, evidence, and operational tracks; and lessons learned produces the post-incident review and the policy update that feeds the next planning iteration.

1. 1

   Phase 1: Plan and prepare

   The programme produces the documented incident management policy, the named team and role assignments, the communication plan (internal stakeholders, regulators, customers, partners, law enforcement, public communications), the response procedures the team will follow under pressure, the training and exercise schedule, the technical readiness (logging, asset inventory, evidence collection capability, forensic tooling), and the agreements with external parties (counsel, forensic providers, communications support, cyber insurance carrier). Plan and prepare is the phase the rest of the cycle depends on; programmes that skip it operate the next four phases by improvisation.

2. 2

   Phase 2: Detection and reporting

   The programme detects the security event from monitoring, scanner output, user report, third-party notification, partner advisory, or supplier disclosure, and opens the structured incident record. Detection and reporting names the source, captures the initial signals, opens the named handling owner, starts the policy clock, and routes the case according to severity. The discipline expects a structured intake record rather than an email thread or a chat channel.

3. 3

   Phase 3: Assessment and decision

   The handler assesses whether the reported event is an incident, classifies the type (malware, unauthorised access, data exposure, denial of service, supply-chain compromise, insider abuse, social engineering, physical breach), calibrates the severity against the documented criteria, and records the decision to escalate, contain, monitor, or close. Assessment is the gate that turns a reported event into a tracked incident the rest of the cycle reads against; the decision is captured on the record with the named decider, the timestamp, and the rationale.

4. 4

   Phase 4: Response

   The team operates the technical response (containment, eradication, recovery), the communications response (internal updates, regulator notifications under GDPR Article 33, NIS2 Article 23, SEC Item 1.05, HIPAA Breach Notification Rule, DORA Articles 19-20, sector-specific clocks, contractual customer obligations), the evidence response (forensic preservation, chain of custody, log capture, system imaging where the policy expects it), and the operational response (asset isolation, credential rotation, configuration rollback, supplier coordination). Response is the most visible phase of the cycle; the standard expects the technical, communications, evidence, and operational tracks to run in parallel against one record.

5. 5

   Phase 5: Lessons learned

   The programme closes the case, captures the post-incident review (what happened, what worked, what failed, what the programme will change), updates the policy and the procedures where the incident exposed gaps, schedules the follow-on testing and exercising the gaps require, and feeds the metric pack reporting to leadership. Lessons learned is the phase that turns the response into the next planning iteration; programmes that skip the structured review repeat the same incidents at lower frequencies but the same root causes.

The operating-record artefact set

The standard expects a defined artefact set rather than a single document. The pack below is the minimum durable set most programmes maintain when they adopt ISO/IEC 27035 as the operating baseline. Each artefact has a named owner, a refresh cadence, and a version history so reconstruction at audit time is replaced with a continuous operating trail.

Failure modes the standard surfaces

The standard is forgiving on the choice of tooling, the wording of the policy, and the exact phase boundaries. It is unforgiving about a small number of patterns that turn the incident management programme cosmetic rather than operational. The patterns below recur across incident management adoptions and are the ones that erode response confidence and audit defensibility most reliably.

How ISO/IEC 27035 relates to adjacent regimes

ISO/IEC 27035 sits in a busy regulatory and assurance neighbourhood. The relationships below are the ones programmes encounter most often when they read 27035 against the rest of the operating regime. Programmes operating across regions and sectors use 27035 as the incident management spine and read ISO/IEC 27001, NIS2, DORA, SOC 2, PCI DSS, HIPAA, SEC Item 1.05, NIST SP 800-61, ISO/IEC 30111, and ISO/IEC 29147 as the contextual layers around it.

The audit-grade evidence pack

Internal auditors, ISO/IEC 27001 certification bodies reading Annex A 5.24 through 5.30, NIS2 competent authorities, DORA financial-sector regulators, SOC 2 service auditors reading CC7.3 through CC7.5 and CC9.1, PCI DSS QSAs reading Requirement 12.10, HIPAA regulators reading 164.308(a)(6), the SEC reading Item 1.05 disclosures, and cyber insurance carriers reading post-claim documentation all read incident management evidence in similar shapes. The minimum durable pack is the residue of the operating work rather than a separate compilation produced at reading time.

Where SecPortal fits in an ISO/IEC 27035 programme

SecPortal is the operating layer for the incident management case lifecycle, not a replacement for the policy hierarchy, the executive crisis management discipline, the forensic provider relationships, or the legal counsel and communications partnerships that the standard expects. The platform handles the case-side workstreams (detection intake, assessment decision, response actions, communications log, evidence custody, post-incident review, lessons-learned action items, exercising trail) so the artefacts the policy commits to are produced as structured records rather than reconstructed across email threads, ticketing systems, and document drives at audit time. The same workspace that hosts the incident record hosts the SAST, dependency analysis, authenticated DAST, external scanning, and continuous monitoring evidence the response and post-incident verification phases depend on.

The incident management evidence (planning, detection, assessment, response, communications, evidence custody, post-incident review, exercising) reads against operational workflows that already exist as named use cases. The incident response operating workflow carries the live-incident handling discipline the case record reads against. The breach notification and regulator readiness workflow carries the parallel notification queue model the communications track operates against when a case crosses regulator-clock thresholds. The PSIRT product security incident response workflow carries the case-management discipline for product-vulnerability incidents that pair with ISO/IEC 30111 and ISO/IEC 29147.

For internal security teams operating ISO/IEC 27035 as part of the wider security operating baseline, the internal security teams workspace bundles the platform with the engagement structure the response cadence reads against. For GRC and compliance teams reading the incident evidence against ISO 27001, SOC 2, NIS2, DORA, PCI DSS, HIPAA, and the SEC rule, the GRC and compliance teams workspace covers the policy hierarchy, the evidence pack, and the audit cadence the standard expects. For CISOs and security leaders carrying the programme-level reporting on the incident management posture and the post-incident accountability narrative, the CISOs and security leaders workspace covers the executive-layer reporting model that sits on top of the case operating record.

For deeper reading on the disciplines this standard reads against, the ISO/IEC 30111 framework page covers the product-vulnerability handling counterpart that pairs with 27035 for organisations that ship products. The ISO/IEC 29147 framework page covers the external disclosure interface that closes the trio. The NIS2 framework page covers the EU operating expectation Article 21 and Article 23 read against. The SEC cybersecurity disclosure framework page covers the public-company disclosure rule the materiality determination feeds into. The incident response plan guide covers the practical IR plan structure that operationalises the standard. The incident response tabletop exercise guide covers the exercising cadence Phase 1 (plan and prepare) commits to. The ransomware readiness programme guide covers the ransomware-specific operating model that runs the standard against the most common live-incident scenario. The SEC cybersecurity incident materiality guide covers the disclosure-decision discipline US public companies operate alongside the broader ISO/IEC 27035 cycle.