In this ultimate how to audit guide to ISO 27001 Annex A 5.24 Information Security Incident Management Planning and Preparation, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Information Security Incident Management Policy Formalisation Verified
- 2. Incident Management Roles and Responsibilities Defined
- 3. Internal and External Incident Reporting Channels Established
- 4. Incident Classification and Categorisation Criteria Documented
- 5. Information Security Incident Management Plan (ISIMP) Present
- 6. Specialist External Contact Lists Maintained
- 7. Evidence Handling and Forensic Readiness Procedures Validated
- 8. Incident Response Testing and Exercise Records Present
- 9. Post-Incident Review (PIR) and Improvement Mechanism Verified
- 10. Staff Incident Awareness and Training Completion Confirmed
Auditing ISO 27001 Annex A 5.24 Information Security Incident Management Planning involves rigorous verification of an organization’s preparedness to detect, report, and respond to security events. This process validates the Primary Implementation Requirement of establishing defined roles, reporting channels, and tested response procedures. The Business Benefit ensures a rapid, coordinated response that minimizes impact and preserves evidence during security crises.
1. Information Security Incident Management Policy Formalisation Verified
Verification Criteria: A documented policy exists, is approved by senior management, and defines the organisation’s overarching approach to incident management.
Required Evidence: Approved Information Security Incident Management Policy with a current version history and evidence of board-level sign-off.
Pass/Fail Test: If the policy is in “draft” status or lacks formal authorisation from the current leadership team, mark as Non-Compliant.
2. Incident Management Roles and Responsibilities Defined
Verification Criteria: Specific individuals or teams (e.g., CSIRT) are formally appointed with clearly defined accountabilities for incident response and escalation.
Required Evidence: A Responsibility Assignment Matrix (RACI) or specific Job Descriptions (JDs) for incident response leads and deputies.
Pass/Fail Test: If incident response duties are assigned to a generic “IT Team” without naming specific accountable leads, mark as Non-Compliant.
3. Internal and External Incident Reporting Channels Established
Verification Criteria: Clear, accessible pathways exist for employees and external parties to report suspected security events without delay.
Required Evidence: Dedicated reporting email addresses, intranet links, or telephone hotlines; evidence of communication of these channels to all staff.
Pass/Fail Test: If a sample of five random employees cannot identify how to report a lost laptop or suspicious email, mark as Non-Compliant.
