In this ultimate how to audit guide to ISO 27001 Annex A 5.26 Response to Information Security Incidents, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Incident Response Procedure Formalisation Verified
- 2. Response Team Activation Protocols Confirmed
- 3. Containment and Eradication Evidence Validated
- 4. Out-of-Band Communication Integrity Verified
- 5. Statutory and Regulatory Reporting Compliance Confirmed
- 6. Evidence Preservation and Forensic Readiness Validated
- 7. Response Action Logging Integrity Verified
- 8. Recovery Verification and Integrity Checks Confirmed
- 9. Stakeholder and Third-Party Escalation Records Present
- 10. Responder Access Authority and Tooling Validated
Auditing ISO 27001 Annex A 5.26 Response to Information Security Incidents verifies the effectiveness of tactical actions taken during a cyber crisis. This process validates the Primary Implementation Requirement of executing tested response procedures to contain and eradicate threats. The Business Benefit minimizes operational downtime and reputational damage by ensuring rapid, coordinated recovery from security breaches.
1. Incident Response Procedure Formalisation Verified
Verification Criteria: Documented playbooks exist for specific incident categories (e.g. ransomware, unauthorised access, data exfiltration) defining binary response actions.
Required Evidence: Approved Incident Response Plan (IRP) or a technical playbook library with version control and management sign-off.
Pass/Fail Test: If response actions rely on the “best effort” of staff without documented, scenario-specific playbooks, mark as Non-Compliant.
2. Response Team Activation Protocols Confirmed
Verification Criteria: Technical triggers for activating the Cyber Security Incident Response Team (CSIRT) are established and functional.
Required Evidence: On-call rotas, CSIRT contact directories, and timestamped activation logs from a recent incident or simulation.
Pass/Fail Test: If the organisation cannot demonstrate a formal “Point of Contact” available 24/7 for incident escalation, mark as Non-Compliant.
3. Containment and Eradication Evidence Validated
Verification Criteria: Technical measures are implemented to isolate affected assets and neutralise the threat prior to recovery efforts.
Required Evidence: Firewall logs showing VLAN isolation, EDR (Endpoint Detection and Response) action history, or account suspension logs.
Pass/Fail Test: If evidence shows recovery actions (e.g. restoring backups) were initiated before the threat was confirmed as contained, mark as Non-Compliant.
