Working with incident management requires you to take action before, during and after incidents happen. This to ensure you are prepared, able to act and to learn from it. Improvement of the incident management process is dependent on these steps to be of a high quality.
There is a worldwide standardization that regulates incident management phases, and these can be found in the ISO/IEC 27035 standards. It presents basic concepts of information security incident management. They are however generic and intended to be applicable to all organisations, regardless of type, size or nature.
- Phase 1 – Plan and prepare. This is a lower level of the phase where user/source, point of contact and internal incident response team (IRT) set the policies and plans for how to manage the incidents that occur.
- Phase 2 – Detection and reporting. Detecting and sorting out the events and incidents that come to the attention of the before mentioned parties is a crucial part of choosing which ones to escalate and take action against.
- Phase 3 – Assessment and decision. After incidents are detected and reported, point of action and the internal IR team decides if the incident will escalate to the next level and require a response.
- Phase 4 – Responses. After the incident has been escalated, the response will be handled by the Crisis Handling Team in cooperation with the internal IR team.
- Phase 5 – Lessons learnt. When the incident is closed and normal operations has resumed, all parties involved in the previous phases contribute to identifying lessons learnt and making improvements to the handling based on what has been learnt. This may also include evaluation of the performance on the process and the involved teams.