Knowledge Center / ISO 27035
ISO / IEC · Global

ISO/IEC 27035 (Incident Management)

The standard for information security incident management.

Introduction: ISO/IEC 27035 and the Discipline of Incident Management

Security incidents are not a question of if but when. The most mature security programme in the world will, at some point, face a phishing compromise, a ransomware attempt, an insider abuse, a misconfigured cloud bucket exposing data, or a supply-chain intrusion. What separates a resilient organisation from a headline-generating breach is rarely the sophistication of its defences alone; it is the speed, discipline and repeatability with which it detects, responds to, contains and learns from incidents. ISO/IEC 27035 is the international standard that codifies exactly this discipline. It provides a structured, phased and evidence-based approach to information security incident management that any organisation, regardless of size, sector or geography, can adopt.

ISO/IEC 27035 sits within the broader ISO/IEC 27000 family of information security standards. Where ISO/IEC 27001 defines the requirements for an Information Security Management System (ISMS) and mandates that incident management be addressed, ISO/IEC 27035 is the detailed 'how-to' companion that expands the single high-level control on incident management into a complete operating model. It is not a certifiable standard in its own right in the way ISO 27001 is; rather, it is guidance that organisations use to build, operate and mature an incident management capability that in turn helps them satisfy ISO 27001 (particularly Annex A control 5.24 through 5.28 in the 2022 revision) and demonstrate operational competence to regulators, customers and auditors.

This guide is written for two audiences at once. For the auditor or assessor, it enumerates every phase, activity, requirement and expected output of the standard so that a rigorous gap assessment can be performed against real evidence. For the implementer, incident response lead, SOC manager or product security team, it lays out a phased path to build the capability from scratch, the roles required, the artefacts to produce, and the metrics that prove the capability is working. Throughout, we use the terminology of the standard precisely: events, incidents, vulnerabilities, the plan-detect-assess-respond-learn lifecycle, the Point of Contact (PoC), the Incident Response Team (IRT) or Information Security Incident Response Team (ISIRT), and the concept of continual improvement.

Copyright and licensing note
ISO/IEC 27035 is a copyrighted international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The normative text, clause numbering and figures are the intellectual property of ISO/IEC and must be purchased from ISO, IEC or an authorised national standards body (for example BIS in India, BSI in the UK). This guide is an original, independent commentary and audit aid produced by CyberSigma. It paraphrases concepts and structure for educational and assessment purposes only and does not reproduce the copyrighted normative wording of the standard. Always work from a licensed copy of the current published parts when performing a formal assessment or certification-support engagement.

What is ISO/IEC 27035

ISO/IEC 27035 is a multi-part international standard that provides guidance on managing information security incidents through a defined, repeatable lifecycle. Its central premise is that effective incident management is a continuous, planned process, not an ad-hoc reaction. The standard establishes a common vocabulary, a phased process model, and a set of activities, controls and outputs for each phase, together with guidance on the coordination of incident response, on preparing to respond to incidents specifically, and on operations of a coordinated response involving multiple parties.

The standard is structured as a series of parts, each addressing a distinct aspect of incident management:

  • ISO/IEC 27035-1 — Principles and process. Part 1 sets out the core concepts, the phased incident management process model, the benefits, and the key principles. It is the foundation on which the other parts build. The current revision defines the lifecycle phases of Plan and Prepare, Detection and Reporting, Assessment and Decision, Responses, and Lessons Learnt.
  • ISO/IEC 27035-2 — Guidelines to plan and prepare for incident response. Part 2 provides detailed guidance on establishing the incident management policy, forming the ISIRT/IRT, defining an incident response plan, and preparing the people, process, and technology needed before an incident occurs. It is the operational readiness companion to Part 1.
  • ISO/IEC 27035-3 — Guidelines for ICT incident response operations. Part 3 addresses the practical, technical operations of detecting, triaging, analysing and responding to incidents, including the use of detection sources, the operation of the response team, and the handling of specific incident categories.
  • ISO/IEC 27035-4 — Coordination. Later parts address coordination of incident response across organisational boundaries, including with external parties such as CERTs, CSIRTs, law enforcement, customers and suppliers.

The relationship between an information security event, an incident and a vulnerability is fundamental to the standard and to any assessment against it. An event is an identified occurrence of a system, service or network state indicating a possible breach of policy or failure of controls, or a previously unknown situation that may be security-relevant. An incident is a single or a series of unwanted or unexpected events that have a significant probability of compromising business operations and threatening information security. A vulnerability is a weakness that can be exploited. The lifecycle exists precisely to triage the very large volume of events down to the smaller number of genuine incidents that warrant a coordinated response, and to feed identified vulnerabilities back into the wider ISMS for remediation.

ISO/IEC 27035 aligns tightly with ISO/IEC 27001 and ISO/IEC 27002. Where ISO 27001 requires the organisation to plan and prepare for the management of information security incidents, and ISO 27002 provides the control guidance (assessment and decision on events, response to incidents, learning from incidents, and collection of evidence), ISO 27035 supplies the full operational methodology. It also complements sector and national schemes such as CERT-In directions in India, the NIST Computer Security Incident Handling Guide (SP 800-61), and regulatory breach-notification regimes such as GDPR, the DPDP Act, and PCI DSS incident response requirements.

Who Must Comply With ISO/IEC 27035

ISO/IEC 27035 is a guidance standard, so strictly speaking no organisation is legally compelled to 'comply' with it in the way one complies with a law. However, a very wide range of organisations are effectively required to demonstrate a competent incident management capability that maps directly to ISO 27035, whether through certification, contract, regulation or good practice. The table below summarises the principal categories.

Organisation typeWhy ISO 27035 appliesDriver
ISO 27001-certified organisationsISO 27001 Annex A controls 5.24-5.28 mandate incident planning, assessment, response, learning and evidence collection; ISO 27035 is the reference methodologyCertification / audit
Financial institutions, banks, payment providersRegulators (RBI, SEBI, IRDAI, PCI SSC) require documented, tested incident response and breach reportingRegulatory
Critical information infrastructure & CERT-In regulated entities (India)CERT-In directions mandate incident reporting within defined timelines and a documented response processRegulatory / national
Data controllers and processors under GDPR / DPDP ActBreach detection, assessment and notification duties align with the 27035 detect-assess-respond phasesLegal / privacy
Managed Security Service Providers (MSSPs) and SOCsCustomers demand a formal, auditable incident handling process as a contractual deliverableContractual
Cloud, SaaS and technology vendorsEnterprise procurement and security questionnaires require evidence of an incident response programmeCommercial / trust
Healthcare, telecom, energy and public sectorSector regulations and national cyber-resilience frameworks require incident readinessSector regulation
Any organisation handling sensitive or regulated dataDuty of care, cyber-insurance conditions, and board-level risk oversightRisk / insurance

In practice, the strongest driver is ISO 27001 certification. An organisation cannot achieve or maintain ISO 27001 without a working incident management process, and certification auditors routinely test that process against the phases and expectations described in ISO 27035. Cyber-insurance underwriters and enterprise customers increasingly ask for the same evidence.

Structure of ISO/IEC 27035: Phases, Parts and Key Activities

The heart of ISO/IEC 27035 is its five-phase process model. Each phase has defined objectives, activities, inputs and outputs, and each is supported by guidance across the parts of the standard. The table below maps the phases to their purpose, the key activities within them, and the primary outputs an assessor should expect to find. This structure is the backbone against which the master assessment checklist that follows is organised.

Phase / familyPurposeKey activitiesPrimary outputs
Plan and PrepareEstablish the capability, policy, team and infrastructure before incidents occurDefine policy, form ISIRT/IRT, create plans, provision tooling, train, run awarenessIncident management policy, IR plan, team charter, playbooks
Detection and ReportingIdentify and report events and vulnerabilities from all sourcesMonitor, detect, collect, report events and vulnerabilities via the PoCEvent reports, detection logs, reporting channels
Assessment and DecisionTriage events, confirm which are incidents, classify and prioritiseAssess events, categorise, prioritise, escalate, decide on responseIncident classification, severity/priority ratings, decisions
ResponsesContain, eradicate, recover and, where appropriate, conduct forensicsContain, collect evidence, eradicate, recover, communicate, escalate to crisisResponse records, forensic evidence, recovery confirmation
Lessons LearntImprove controls, process and the capability itself from each incidentPost-incident review, root-cause analysis, update controls and plansPost-incident report, improvement actions, updated playbooks
Coordination (27035-3/-4)Coordinate response across internal and external partiesLiaise with CERTs, law enforcement, suppliers, customers; manage disclosureCoordination records, external reports, MoUs

How the parts support the phases

PartTitle (paraphrased)Phases primarily supported
27035-1Principles and processAll five phases — the master model and principles
27035-2Plan and prepare for incident responsePlan and Prepare; readiness for all downstream phases
27035-3ICT incident response operationsDetection, Assessment, Responses (operational/technical)
27035-4CoordinationCoordination across the response, especially Responses and Lessons Learnt

Master Assessment Checklist

This is the core section of the guide. It enumerates every phase, activity and requirement of ISO/IEC 27035 and, for each, sets out what an auditor must verify and the typical evidence that demonstrates conformity. An organisation seeking to align with the standard should be able to produce evidence for every row. The checklist is organised by the five lifecycle phases plus cross-cutting governance and coordination groups. Do not skip any group; a gap in any phase breaks the lifecycle.

Group 1 — Incident Management Governance and Policy

What to verifyTypical evidence
A documented information security incident management policy exists, is approved by management, and is communicatedSigned policy document, approval record, distribution/acknowledgement log
The policy defines scope, objectives, definitions (event/incident/vulnerability) and management commitmentPolicy content review, scope statement
Roles, responsibilities and authorities for incident management are formally assignedRACI matrix, ISIRT charter, job descriptions
The incident management scheme is integrated with the wider ISMS and risk managementISMS documentation cross-references, risk register linkage
A schedule for review and update of the policy and scheme is defined and followedReview calendar, version history, change log
Legal, regulatory and contractual reporting obligations are identified and documentedCompliance obligations register, notification matrix

Group 2 — Plan and Prepare Phase

What to verifyTypical evidence
An Information Security Incident Response Team (ISIRT/IRT) is established with defined membershipTeam charter, member list, contact roster
A designated Point of Contact (PoC) is defined and reachable 24x7 as appropriate to riskPoC procedure, on-call rota, contact details
A documented incident response plan / playbooks cover common incident categoriesIR plan, category-specific playbooks (malware, phishing, data breach, DoS, insider)
Classification and severity/priority scales are defined in advanceClassification matrix, severity definitions
Detection and reporting tooling and channels are provisioned (SIEM, ticketing, reporting form)Tool inventory, screenshots, configuration records
Secure evidence-handling and forensic-readiness procedures are establishedForensic-readiness policy, chain-of-custody template, tool list
Training, exercises and awareness for staff and the ISIRT are planned and deliveredTraining records, tabletop/exercise reports, awareness material
Internal and external communication and escalation procedures are documentedEscalation matrix, communication plan, contact lists for CERT/regulators
Necessary resources, budget and management support are provisionedResource plan, budget approval, tooling licences

Group 3 — Detection and Reporting Phase

What to verifyTypical evidence
Events are detected from multiple sources (automated monitoring, users, third parties)Detection source inventory, SIEM alerts, user reports
A simple, well-publicised mechanism exists for anyone to report events and vulnerabilitiesReporting form/portal, hotline, awareness comms
Reported events are captured with sufficient detail (who, what, when, where, impact)Event report records, ticket fields
Vulnerabilities are reported and routed for assessment separately from eventsVulnerability reports, coordinated disclosure procedure
Detection and reporting timelines meet policy and regulatory expectationsTimestamps in tickets, SLA metrics, CERT-In reporting evidence
All events and reports are logged in a central registerIncident register / case management system extract

Group 4 — Assessment and Decision Phase

What to verifyTypical evidence
Each reported event is assessed to determine whether it is an information security incidentTriage records, assessment notes, decision log
Confirmed incidents are categorised using the predefined classification schemeCategorised tickets, classification field values
Incidents are prioritised by severity/impact and urgencySeverity ratings, prioritisation rationale
Decisions on whether and how to respond are made and recorded by authorised rolesDecision records with approver, escalation entries
Escalation criteria (to crisis management, executives, external parties) are appliedEscalation records, notifications
False positives and non-incidents are documented and closed with rationaleClosed-not-incident tickets with justification

Group 5 — Responses Phase (Containment, Eradication, Recovery)

What to verifyTypical evidence
Containment actions are taken promptly to limit impact and spreadContainment action logs, timestamps, isolation records
Evidence is collected and preserved with maintained chain of custodyForensic images, chain-of-custody forms, evidence log
Eradication removes the root cause (malware, unauthorised access, misconfiguration)Remediation records, patch/config change tickets
Recovery restores affected systems and validates their integrity before return to serviceRecovery checklist, integrity verification, sign-off
Communications to internal stakeholders and external parties are managed and timelyCommunication log, notification records, holding statements
Regulatory and customer breach notifications are made within required timelinesNotification letters, CERT-In/regulator submissions, timestamps
Major incidents are escalated to crisis management / business continuity as neededCrisis activation records, BCP/DR invocation evidence
Response actions and decisions are fully documented throughout the incident timelineIncident timeline, action log, decision record

Group 6 — Lessons Learnt and Continual Improvement Phase

What to verifyTypical evidence
A post-incident review is conducted for significant incidentsPost-incident review reports, meeting minutes
Root-cause analysis identifies underlying causes, not just symptomsRCA documentation, 5-whys / fishbone analysis
Improvement actions to controls, process and plans are identified and tracked to closureAction tracker, closed CAPA records
Playbooks, policy and the incident scheme are updated based on findingsUpdated document versions, change history
Incident metrics and trends are analysed to inform risk treatmentTrend reports, metrics dashboards, risk register updates
Knowledge is shared with relevant teams and, where appropriate, externallyKnowledge base entries, threat-intel sharing records

Group 7 — Evidence Collection and Forensic Readiness

What to verifyTypical evidence
Procedures ensure evidence is collected in a legally admissible mannerForensic procedure, admissibility guidance
Chain of custody is maintained from collection to disposalChain-of-custody records, evidence storage log
Time synchronisation across systems supports reliable timelinesNTP configuration, log timestamp accuracy checks
Log sources are retained for sufficient duration to support investigationsLog retention policy, retention configuration
Personnel handling evidence are trained and authorisedTraining records, authorisation list

Group 8 — Coordination and External Relationships (27035-3 / -4)

What to verifyTypical evidence
Relationships with external parties (CERT/CSIRT, law enforcement, suppliers) are establishedContact register, MoUs, engagement records
Coordination procedures for multi-party incidents are documentedCoordination playbook, shared-responsibility matrix
Information-sharing agreements and confidentiality controls are in placeNDAs, TLP handling procedure, sharing agreements
Roles and interfaces with a coordinating CSIRT are definedCoordination charter, escalation-to-CERT procedure
Cross-border and supply-chain incident handling is addressedSupplier incident clauses, cross-border data-handling notes

Scoping the Incident Management Capability

Scoping determines which parts of the organisation, which assets, and which incident types the incident management capability covers. A well-defined scope prevents both under-coverage (critical systems left without a response plan) and wasteful over-engineering. Scoping should be driven by the risk assessment and by the boundaries of the ISMS where one exists.

  • Organisational scope: which business units, subsidiaries, geographies and legal entities are covered by the incident scheme.
  • Asset and information scope: which systems, applications, networks, cloud environments, OT/ICS and data classifications are in scope, prioritised by criticality.
  • Incident-type scope: which categories are addressed (malware/ransomware, phishing, unauthorised access, data breach, denial of service, insider misuse, physical, third-party/supply-chain, cloud misconfiguration).
  • Stakeholder scope: internal teams (SOC, IT, legal, HR, communications, executive) and external parties (CERTs, regulators, customers, suppliers, forensic partners).
  • Regulatory and contractual scope: jurisdictions and obligations that trigger mandatory reporting (CERT-In, GDPR, DPDP, PCI DSS, sector regulators).
  • Interfaces and exclusions: dependencies on outsourced/MSSP services and any explicitly excluded areas, with documented justification.
Scoping tip
Align the incident management scope with the ISMS scope and the business impact analysis. Where a Managed Security Service Provider operates part of the detection or response, the shared-responsibility boundary must be documented explicitly so that no phase of the lifecycle falls into a gap between provider and organisation.

Implementation Approach: A Phased Programme

Building an ISO 27035-aligned capability is best done in defined phases. Each phase below lists its core activities and the deliverables an assessor would expect. The phasing mirrors the standard's own logic: prepare first, then operationalise detection and response, then embed learning and coordination.

Phase 1 — Establish Governance and Policy (Weeks 1-4)

  • Activities: secure executive sponsorship; define the incident management policy, objectives and scope; establish definitions and the classification scheme; identify legal and regulatory obligations.
  • Deliverables: approved incident management policy, scope statement, classification and severity matrices, obligations register.

Phase 2 — Plan and Prepare (Weeks 3-10)

  • Activities: form and charter the ISIRT/IRT; assign roles and the PoC; develop the incident response plan and category playbooks; provision tooling (SIEM, case management, forensic kit); establish evidence-handling and forensic-readiness procedures; build communication and escalation matrices.
  • Deliverables: ISIRT charter and roster, IR plan, playbooks, tooling in place, forensic-readiness procedure, escalation/communication matrices.

Phase 3 — Detection and Reporting Operationalisation (Weeks 8-14)

  • Activities: integrate detection sources; deploy an easy reporting mechanism for staff and third parties; configure the central incident register; define reporting timelines and SLAs.
  • Deliverables: detection source inventory, reporting portal/form, incident register, SLA definitions.

Phase 4 — Response Operations and Testing (Weeks 12-18)

  • Activities: operationalise triage, assessment and prioritisation; run the response workflow end-to-end; conduct tabletop exercises and at least one simulated incident; validate breach-notification workflows.
  • Deliverables: exercise reports, tested workflows, validated notification templates, first response records.

Phase 5 — Lessons Learnt and Continual Improvement (Weeks 16+, ongoing)

  • Activities: institute post-incident reviews and RCA; establish a metrics/KPI dashboard; feed improvements back into controls, playbooks and the risk register; schedule periodic reassessment and re-exercising.
  • Deliverables: post-incident review template, KPI dashboard, improvement tracker, review calendar.

Phase 6 — Coordination and External Integration (ongoing)

  • Activities: establish relationships with CERTs/CSIRTs, law enforcement and suppliers; put information-sharing and confidentiality agreements in place; define multi-party coordination procedures.
  • Deliverables: external contact register, MoUs/NDAs, coordination playbook.

Maturity and Capability Model

While ISO/IEC 27035 does not itself prescribe a formal maturity scoring model, it is standard assessment practice to rate the capability against a five-level maturity scale so that progress can be measured and gaps prioritised. The table below defines a practical maturity model for incident management, drawing on capability-maturity conventions widely used by assessors.

LevelNameCharacteristicsTypical indicators
0Non-existentNo defined incident capability; incidents handled ad hoc if at allNo policy, no team, no records
1InitialReactive handling; some individuals respond but no documented processInformal responses, inconsistent outcomes
2RepeatableBasic policy and team exist; playbooks used for common incidentsDocumented policy, IR plan, some records
3DefinedFull lifecycle documented and consistently applied across scopeComplete phases, classification, training, exercises
4ManagedMetrics-driven; SLAs measured; post-incident reviews standardKPI dashboards, trend analysis, tested plans
5OptimisingContinual improvement embedded; threat-informed; coordinated externallyAutomation, threat-intel integration, CERT coordination

Most organisations target Level 3 (Defined) for initial ISO 27001 certification support and progress towards Levels 4 and 5 as the programme matures. An assessor should score each of the eight checklist groups independently and identify the lowest-scoring groups as improvement priorities.

Assessment and Audit Approach

A rigorous ISO 27035 assessment follows a structured, evidence-based methodology. The steps below describe the recommended sequence for an auditor conducting a gap assessment or readiness review.

  1. Define the assessment scope and objectives with the sponsor, confirming which entities, assets and incident types are in scope.
  2. Review documentation: policy, IR plan, playbooks, classification scheme, charters, procedures and prior incident records.
  3. Map the organisation's process against the five lifecycle phases and the eight checklist groups.
  4. Conduct interviews with the ISIRT, SOC analysts, IT operations, legal, communications and executive sponsors.
  5. Sample and test evidence: pull a representative set of past incident cases and trace each through detection, assessment, response and lessons learnt.
  6. Observe or facilitate a tabletop exercise or walkthrough to test the plan in practice.
  7. Assess forensic readiness, evidence handling and chain-of-custody controls.
  8. Verify regulatory and contractual notification workflows against real or simulated timelines.
  9. Score each checklist group against the maturity model and identify gaps and root causes.
  10. Produce a findings report with prioritised, risk-based recommendations and a remediation roadmap.
  11. Agree corrective actions and a re-assessment date to confirm closure.

Evidence Request List

The following categorised list is what an assessor typically requests ahead of and during an ISO 27035 review. Implementers can use it as a pre-audit readiness pack.

  • Governance: incident management policy, scope statement, management approval records, RACI/roles matrix, obligations register.
  • Planning: ISIRT charter and roster, PoC procedure and on-call rota, incident response plan, category playbooks, classification and severity matrices.
  • Detection & reporting: detection source inventory, SIEM/alerting configuration, reporting form/portal, awareness communications, incident register extract.
  • Assessment & decision: triage records, classification examples, prioritisation rationale, escalation and decision logs.
  • Response: incident timelines, containment/eradication/recovery records, communication logs, breach-notification submissions, crisis/BCP activation evidence.
  • Forensics & evidence: forensic-readiness procedure, chain-of-custody templates and completed forms, evidence storage and retention records.
  • Lessons learnt: post-incident review reports, RCA documents, improvement action tracker, updated document versions.
  • Testing & training: tabletop/simulation exercise reports, training records, awareness metrics.
  • Coordination: external contact register, MoUs/NDAs, information-sharing agreements, CERT/regulator engagement records.
  • Metrics: KPI dashboards, trend reports, SLA compliance data.

Roles and Responsibilities

RoleKey responsibilitiesPhase focus
Executive sponsor / CISOOwns the policy, provides resources and authority, makes crisis decisionsGovernance, escalation
Incident Manager / ISIRT leadCoordinates the response, chairs reviews, owns the IR planAll phases
Point of Contact (PoC)Single reporting channel; receives, logs and routes eventsDetection & Reporting
SOC analysts / detection teamMonitor, detect, triage and escalate eventsDetection, Assessment
Incident responders / forensicsContain, collect evidence, eradicate, recoverResponses
IT / infrastructure operationsExecute isolation, patching, restoration under IRT directionResponses
Legal & complianceAdvise on obligations, manage regulatory notificationsResponse, Coordination
Communications / PRManage internal and external messagingResponse, Coordination
HRHandle insider and personnel-related aspectsResponse
Business continuity / crisis teamInvoked for major incidents; run BCP/DRResponse (major)
External CERT/CSIRT & partnersProvide coordination, threat intel and specialist supportCoordination

KPIs to Track

  • Mean Time to Detect (MTTD) — average time from occurrence to detection.
  • Mean Time to Acknowledge / Triage — time from report to assessment start.
  • Mean Time to Respond / Contain (MTTR) — time from detection to containment.
  • Mean Time to Recover — time from containment to full restoration.
  • Number of events reported vs. confirmed incidents (triage effectiveness).
  • Percentage of incidents detected internally vs. by third parties.
  • Percentage of incidents with completed post-incident reviews and RCA.
  • Percentage of improvement actions closed within target timeframe.
  • Breach notifications made within regulatory deadlines (e.g. CERT-In 6-hour window).
  • Recurrence rate — incidents from previously identified but unremediated causes.
  • Exercise cadence and pass rate for tabletop/simulation tests.
  • Staff awareness reporting rate — proportion of incidents reported by employees.

Readiness Checklist

  • Incident management policy approved, communicated and version-controlled.
  • ISIRT/IRT chartered with named members and a 24x7-capable PoC.
  • Incident response plan and category playbooks documented and accessible.
  • Classification, severity and prioritisation scales defined in advance.
  • Detection sources integrated and an easy reporting mechanism published.
  • Central incident register / case management system in operation.
  • Forensic-readiness and chain-of-custody procedures established.
  • Escalation, communication and breach-notification matrices in place.
  • Regulatory and contractual reporting obligations mapped with timelines.
  • Training delivered and at least one tabletop/simulation exercise completed.
  • Post-incident review and RCA process defined and used.
  • KPI dashboard operational and reviewed by management.
  • External CERT/CSIRT and partner relationships established.
  • Periodic review and re-exercise schedule agreed and calendared.

Common Gaps

  • Policy exists on paper but the IR plan and playbooks are never tested through exercises.
  • No single, well-publicised Point of Contact, so events go unreported or to the wrong place.
  • Classification and severity scales are undefined, leading to inconsistent prioritisation.
  • Detection is over-reliant on tooling with no easy way for staff to report suspicious activity.
  • Weak forensic readiness — evidence collected without chain of custody, undermining admissibility.
  • Recovery declared complete without integrity verification, allowing reinfection.
  • Post-incident reviews skipped or superficial, so the same incidents recur.
  • Breach-notification timelines (e.g. CERT-In 6 hours) not built into the response workflow.
  • No coordination arrangements with CERTs, suppliers or law enforcement before an incident.
  • Metrics not captured, so management cannot see whether the capability is improving.
  • Shared-responsibility boundary with MSSP/cloud provider undocumented, leaving lifecycle gaps.
  • Lessons-learnt actions raised but never tracked to closure or fed into the risk register.

ISO/IEC 27035 Mapped to Other Frameworks

ISO 27035 phase / conceptISO 27001:2022 Annex ANIST SP 800-61 / CSFCERT-In / regulatory
Plan and Prepare5.24 Incident management planning & preparationPreparation phase; CSF Govern/IdentifyDocumented IR process, designated PoC
Detection and Reporting5.25 Assessment & decision on events; 6.8 reportingDetection & Analysis; CSF DetectEvent detection and logging
Assessment and Decision5.25 Assessment & decision on security eventsDetection & Analysis (triage)Incident classification
Responses5.26 Response to incidentsContainment, Eradication & Recovery; CSF RespondMandatory reporting within 6 hours (CERT-In)
Lessons Learnt5.27 Learning from incidentsPost-Incident Activity; CSF Recover/ImproveContinual improvement obligations
Evidence collection5.28 Collection of evidenceForensic guidance in 800-61Admissible evidence for investigations
CoordinationSupported by 27035-4Coordination guidance; information sharingCoordination with CERT-In / national CSIRT
How CyberSigma helps
CyberSigma helps organisations build, test and mature an ISO/IEC 27035-aligned incident management capability end to end. Our CERT-In empanelled and PCI QSA-qualified assessors run gap assessments against every phase and checklist group in this guide, then help you close the gaps: drafting the incident management policy and playbooks, chartering and training your ISIRT, establishing forensic readiness and chain-of-custody, wiring detection and reporting into your SOC, and building the KPI dashboards that prove the capability works. We run realistic tabletop and simulation exercises, validate your CERT-In and GDPR/DPDP breach-notification workflows against real timelines, and provide 24x7 incident response retainer support when a real incident strikes. Whether you are pursuing ISO 27001 certification, satisfying a regulator, or reassuring enterprise customers, CyberSigma takes you from ad-hoc reaction to an optimising, threat-informed incident management programme. Contact us to schedule an ISO 27035 readiness assessment.

Frequently asked questions

How does ISO 27035 relate to ISO 27001?
It provides detailed guidance for the incident-management controls required by ISO 27001’s ISMS.
Official documents

Need help with ISO 27035?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.