National foreword

This British Standard is the UK implementation of ISO/IEC 27035‑4:2024.

The UK participation in its preparation was entrusted to Technical Committee IST/33, Information security, cybersecurity and privacy protection.

A list of organizations represented on this committee can be obtained on request to its committee manager.

Contractual and legal considerations

This publication has been prepared in good faith, however no representation, warranty, assurance or undertaking (express or implied) is or will be made, and no responsibility or liability is or will be accepted by BSI in relation to the adequacy, accuracy, completeness or reasonableness of this publication. All and any such responsibility and liability is expressly disclaimed to the full extent permitted by the law.

This publication is provided as is, and is to be used at the recipient’s own risk.

The recipient is advised to consider seeking professional guidance with respect to its use of this publication.

This publication is not intended to constitute a contract. Users are responsible for its correct application.

Compliance with a British Standard cannot confer immunity from legal obligations.

This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 December 2024.

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).

ISO and IEC draw attention to the possibility that the implementation of this document may involve the use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not received notice of (a) patent(s) which may be required to implement this document. However, implementers are cautioned that this may not represent the latest information, which may be obtained from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection.

A list of all parts in the ISO/IEC 27035 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-committees.

Introduction

Coordination is an important aspect in information security incident management. Incidents crossing organizational boundaries can occur and cannot be easily resolved by a single organization. Emerging threats are becoming increasingly sophisticated and can have a much larger impact than previously. The characteristics of emerging threats and attacks make it more urgent than ever to coordinate incidents across organizations.

Coordination can include relevant parties both within and outside the organization. For example, relevant parties within the organization include business managers and representatives from IT; external interested parties include incident response teams of external organizations and law enforcement organizations. See ISO/IEC 27035‑2:2023, Clause 8 for a complete list. This document, however, only considers coordination between multiple organizations. This document provides guidelines for multiple organizations to work together to handle information security incidents. The coordination activities occur throughout the information security incident management process as defined in ISO/IEC 27035‑1.

This document addresses the coordination of information security incident management between multiple organizations. Incidents sometimes involve technical vulnerabilities. Guidance on the coordination, disclosure, and handling of technical vulnerabilities is provided by ISO/IEC 29147 and ISO/IEC 30111. Additional information on the coordination of technical vulnerabilities between multiple organizations is provided by ISO/IEC TR 5895.

1 Scope

This document provides guidelines for multiple organizations handling information security incidents in a coordinated manner. It also addresses the impacts of external cooperation on the internal incident management of an individual organization and provides guidelines for an individual organization to adapt to the coordination process. Furthermore, it provides guidelines for the coordination team, if it exists, to perform coordination activities supporting the cross-organization incident response.

The principles given in this document are generic and are intended to be applicable to multiple organizations to work together to handle information security incidents, regardless of their types, sizes or nature. Organizations can adjust the guidance given in this document according to their type, sizes and nature of business in relation to the information security risk situation. This document is also applicable to an individual organization that participates in partner relationships.

2 Normative references

3 Terms and definitions

4 Overview

4.1 General

4.2 Coordination team

4.3 Principles of coordination

5 Coordinated incident management process

5.1 Overview

5.2 Coordinated plan and prepare

5.3 Coordinated detect and report

5.4 Coordinated assessment and decision

5.5 Coordinated respond

5.6 Coordinated learn lessons

6 Guidelines for key activities of coordinated incident management

6.1 Developing coordination policies

6.2 Establishing communications

6.3 Threat and event Information sharing

6.4 Conducting coordinated exercises

6.5 Building trust

Bibliography

BS ISO/IEC 27035-4:2024

Information technology. Information security incident management - Coordination

Current

Published:

31 Dec 2024