Close Sidebar
COPYRIGHT © PROFESSIONAL EVALUATION AND CERTIFICATION BOARD 2021 ALL RIGHTS RESERVED
Now Reading
Leveraging ISO/IEC 27035 for Business Continuity and Resilience
Search for content, post, videos
Search for content, post, videos

Leveraging ISO/IEC 27035 for Business Continuity and Resilience

December 12, 2024

Today’s businesses operate in an evolving threat landscape that presents numerous information security challenges regardless of the industry you are in. Incidents are bound to happen more frequently than before and the confidentiality, integrity, and availability (CIA) of critical systems can be compromised at any given moment. The possibility of such breaches happening places a burden on organizations to safeguard their existence, as they can hinder achievement of business objectives and strategic initiatives. The return on investment of any organization is usually threatened by incidents. Such adverse impacts can lead to business crisis. Given the status quo, it is important for organizations to at least prepare to handle such unforeseen occurrences which may have negative consequences on its sustainability. In this age of cybersecurity, incident management should be prioritized.  

An Overview of the Standard 

The ISO/IEC 27035 is part of a widely respected and well-defined set of standards within the ISO/IEC 27000 family. It stands out as the most recognized, if not the de facto standard, that primarily focuses on Information Security Incident Management and is structured in the following manner: 

Planning and Preparation

Usually the starting point is the formulation of the Information Security Incident policy. This policy should be reflected in other cybersecurity related policies. User awareness and cybersecurity trainings are also important considerations at this stage. Management should show its commitment by bankrolling the project.  

Detection and Reporting 

Early detection of incidents is crucial, therefore, the standard offers means of ensuring timely detection of the incidents. Mechanisms should be put in place to detect incidents that can make a security impact to the organization. 

Responding 

The standard and associated guidelines offer a detailed approach on how to respond to various incidents in a coordinated manner. The incident can be contained and mitigated while simultaneously preventing the means through which it could escalate further. Incidents can be mild or severe and an appropriate response should be accorded.

Lessons Learned

To gain valuable insights from incidents, a thorough analysis must be done. The cause, as well as the impact, has to be deduced. Root Cause Analysis (RCA) contributes immensely to this process and will help deter recurrence of a similar incident in the future. Already existing security measures can only be improved when this phase is done properly. Continual improvement hinges on lessons learned. 

Information Security Incident Management Standard Implementation 

With the advent of AI and other emerging technologies, organizations depending on industry may face some demands from the regulators to have defined incident management in place. A case of the Zimbabwean banking sector players, which have been mandated to have clearly defined and tested incident management framework, comes to mind.

All banks were given an ultimatum as of 30 September, 2024, to ensure compliance to this regulation. No bank can afford to ignore the demands from the regulator without risking its sustenance. At the same time, when regulations are passed, they are usually for the common good of both the provider of services and the clients who consume the services. 

Compliance to this requirement will be easily ensured by implementing the eminent ISO/IEC 27035 Information Security Incident Management standard. This is a comprehensive method that covers incident management end to end in the information security context. Taking a holistic approach has innumerable advantages and it closes the gap that may exist between business operations and business continuity. This should inspire and motivate organizations towards implementing ISO/IEC 27035 as a starting point. 

AI Revolutionizing Incident Management 

AI promotes enhanced and quicker incident management. Detection and resolution of incidents becomes easy, thereby, improving the overall response time. AI’s capabilities improve incident management which in a broader sense leads to efficient IT Service Management (ISTM). Analysis of vast amounts of historical data using Machine Learning (ML) algorithms also helps to improve IT service delivery and avoiding recurrence of past similar incidents. AI has evolved immensely and throughout that process it ignited a chain of disruptive incident management capabilities which organizations can harness to bolster their business continuity management.

AI-powered ITSM which embodies incident management has significant returns. Application of AI includes pattern recognition enabling organizations to recognize emerging trends of attack and being able to mitigate the attack before it causes much damage.  

AI can aid organizations to optimize resource allocation. This brings efficiency to the processes paving the way for improved incident management. Predictive analysis add another dimension to the positive impact of AI to ITSM, particularly incident management. Incidents can be predicted with greater accuracy, as such organizations can improve their system’s self-healing potential, fostering resilience.

Automated incident response systems are some of the benefits AI brings on board. AI’s contribution to incident management cannot be overemphasized and it translates to enhanced business continuity management. AI becomes a game changer, for both incident management and business continuity management, as it enables building robust incident response capabilities which are less prone to failure. 

Business resilience anchors on effective information security incident response capabilities that can only be attained through a coherent incident management system. 

Adaptability of ISO/IEC 27035

The standard is not tailored for a specific industry but was created to suit every organization according to its need. All organizations hold information as one of its most critical resources to be managed. Where there is information there is risk associated with it and if the risk materializes, an event or incident can possibly occur. ISO/IEC 27035 cuts across the divide. No industrial boundaries exist to the standard implementation, however, the focus should be on how to implement it in certain domains.

It is a generic standard and can be adopted by any organization that seeks to improve its overall information security. Making good use of this standard’s principles in any industry will go a long way in promoting business continuity and resilience. Business Continuity Management is defined in the ISO 22301 standard and it is strongly complemented by other standards such as ISO/IEC 27035 for incident management. The standards reference each other. They are distinct but highly related as they both help organizations to protect themselves against disruptions.  

Information Security Incident Management Crucial to Risk Management 

Risks are pervasive and they affect every area of the business. If not properly managed, risks can threaten the security of any organization. Effort and proper investment are required to manage risks throughout their lifecycles. To minimize the risk of information security or any cyber-related incident, organizations are encouraged to implement ISO/IEC 27035.

Investing in Information Security Incident Management will pay dividends for the business. Mature risk management at any organization implies having wholesome information security incident management, as they are intertwined. In implementing ISO/IEC 27035, organizations gain more by referring to ISO/IEC 27005 and ISO 31000 standards. These standards do complement each other. ISO 31000 is the overarching standard that gives a high level framework for risk management. It defines an approach which tailored or domain-specific risk management standards like ISO/IEC 27005 can assume and streamline.

Benefits of Implementing ISO/IEC 27035 Incident Management for Business Continuity

There are so many advantages that accrue from implementing this standard and just a few are as listed: 

Legal and Regulatory Compliance

In many industries, it is imperative to have structured incident management, and one way of ensuring legal and regulatory compliance to this demand is through the implementation of ISO/IEC 27035.

Improved Stakeholder Confidence 

With the hype that information security has received of late, stakeholders prefer to do business where their worries are confined. Their confidence improves when an organization values incident management with the potential of nurturing lasting loyalty. By implementing and adhering to best practices, businesses improve their credibility. 

Enhanced Security Posture 

The security posture of the organization improves through having many essential components in place, one of which is a properly implemented incident management standard. All organizations regardless of size tend to benefit from implementing the entire ISO/IEC 27035.  

Business Continuity Capability 

As alluded earlier, incident management provides better assurance of business continuity. Disruptions are rampant in today’s world and business continuity is at risk. A bigger leap towards ensuring this requirement is to implement ISO/IEC 27035. 

Conclusion 

Consistent incident management helps organizations keep threats and vulnerabilities in check. This can be significantly enhanced by implementing the ISO/IEC 27035 Incident Management standard. The standard provides a solid basis for handling information security incidents. Organizations will reap huge benefits from following this structured approach that saves time and costs, ensuring the organization’s survival and thrive in the modern rampant world of information security incidents.

Regular and effective testing are paramount to keep the standard operating as intended, thereby, reducing adverse business effects. In the wake of a security incident the convergence of Incident Management and business continuity yield a positive result. Business continuity and resilience requires a fully-fledged incident management program to be in place. The ISO/IEC 27035 standard implementation provides assurance of business continuity in the event of a disaster or any security incident to a greater degree. Survival of monumental disruptions means that business continuity is ensured and incident management is an integral part of business continuity management. 

Barbara Chinzunza

Barbara Farisai Chinzunza – Chief Transformation and Strategy Officer and EMBA Information Security Management Barbara is an accomplished leader specializing in transformation and strategy, with extensive expertise in cybersecurity, IT governance, and organizational excellence. She holds an MBA from Gloucestershire University and an Executive MBA in Cybersecurity from PECB. Barbara is certified in PRINCE2, PRINCE2 Agile, and ITIL Foundation, and her qualifications extend to multiple ISO standards, including ISO/IEC 27001, ISO 9001, ISO 22301, ISO 31001, GDPR, and ISO/IEC 42001. With a strong foundation in computer science and a proven track record of driving strategic initiatives, Barbara excels in integrating technology, governance, and risk management to achieve organizational success.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts