ISO 27001:2022 Annex A 5.26 Response to information security incidents

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.26 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.26 Response to Information Security Incidents

ISO 27001 Annex A 5.26 requires organizations to respond to information security incidents in accordance with documented procedures. While previous controls (A.5.24 and A.5.25) cover the planning and assessment, this control is about the operational execution of your response. It is a corrective control designed to ensure that once an incident is confirmed, your team acts efficiently to contain the threat, recover services, and meet legal obligations (such as the 72-hour GDPR notification rule).

Core requirements for compliance include:

Documented Response Procedures: You must have clear, step-by-step instructions (often called Playbooks) for different types of incidents, such as ransomware, lost devices, or unauthorized data access.
Team Competency: The designated response team must have the technical skills and authority to act. This includes the power to take systems offline or disconnect networks during a crisis.
Containment & Eradication: The immediate goal of the response is to stop the incident from spreading (Containment) and then remove the root cause, such as malware or an exploited vulnerability (Eradication).
Evidence Collection: During the response, you must collect and preserve evidence (logs, memory dumps, or physical hardware). This is critical if the incident leads to legal action or insurance claims.
Legal & Regulatory Communication: You must have a process for notifying external parties. For data breaches involving personal data, this often requires notifying a regulator (like the ICO) within a strict legal timeframe.
Formal Closure: Every incident must be officially “Closed” only after the recovery is complete and a summary report has been created.

Audit Focus: Auditors will look for “The Execution Evidence”:

Response Timestamps: “Show me the logs for your last major incident. How much time passed between the ‘Decision’ to categorize it (A.5.25) and the start of ‘Containment’?”
Playbook Accuracy: “Show me your ransomware playbook. Can you prove that the team followed these specific steps during your last malware event?”
Communication Logs: “If you had a data breach last year, show me the record of your notification to the regulator. Did you meet the mandatory deadline?”

Response Lifecycle Table (Audit Prep):

Phase	Core Action Required	Primary Goal
1. Containment	Isolate infected systems (disconnect).	“Stop the bleeding.”
2. Eradication	Remove malware / Patch the flaw.	“Clean the wound.”
3. Recovery	Restore from backup / Restart services.	Get back to work.
4. Communication	Notify Subjects / Regulators.	Legal Compliance.

What is ISO 27001 Annex A 5.26?
Watch the ISO 27001 Annex A 5.26 Tutorial
ISO 27001 Annex A 5.26 Podcast
How to implement ISO 27001 Annex A 5.26
Response Lifecycle Table
How to comply
How to pass an ISO 27001 Annex A 5.26 audit
What the audit will check
Top 3 ISO 27001 Annex A 5.26 Mistakes People Make and How to Avoid Them
Why is ISO 27001 Response to Information Security Incidents Important?
Fast Track ISO 27001 Annex A 5.26 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.26 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 controls and attribute values

What is ISO 27001 Annex A 5.26?

ISO 27001 Annex 5.26 is about your response to information security incidents which means you need a documented process for what you will do.

ISO 27001 Annex A 5.26 Response to information security incidents is an ISO 27001 control that requires an organisation to respond to information security incidents based on documented procedures.

ISO 27001 Annex A 5.26 Purpose

The purpose of ISO 2701 Annex A 5.26 is a corrective control that ensures efficient and effective response to information security incidents.

ISO 27001 Annex A 5.26 Definition

ISO 27001 defines Annex A 5.26 as:

Information security incidents should be responded to in accordance with the documented procedures.
ISO 27001:2022 Annex A 5.26 Response to information security incidents

Watch the ISO 27001 Annex A 5.26 Tutorial

In this tutorial video I show you how to implement ISO 27001 Annex A 5.26 and how to pass the audit.

ISO 27001 Annex A 5.26 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.26 Response To Information Security Incidents. The podcast explores what it is, why it is important and the path to compliance.

How to implement ISO 27001 Annex A 5.26

This guide provides a framework for responding to an information security incident. The guide should be used in conjunction with your information security incident management plan.

The standard that relates to information security management for further reading if required is ISO/IEC 27035

To implement ISO 27001 Annex A 5.26 is straightforward. You are going to document processes and procedures for information security incident response and then communicate to those people that need to know about it.

The team that does the response is going to be designated which means you know and have recorded who they are and they are going to have the required competence to do the job.

What should the incident response process include?

The information security incident response process is going to include

Containment: stopping the incident from spreading or getting worse
Evidence Collection: collecting evidence of what happened
Escalation: considering and acting on escalation as required which may mean invoking business continuity
Logging: recording the response activities and what you did so you can analyse it later
Communicating: telling people about the processes so they know what is expected and what to do
Sharing: sharing knowledge with people that would be interested to improve responsiveness and reduce wider impact
Closing: once the incident ends formally closing the incident and recording it
Root cause: identifying why it happened and acting on that root cause conclusion.

The 3 steps of Information Security Incident Response

The 3 steps in information security incident response are:

Identification: identifying the information security incident
Assessment: assessing and prioritising the information security incident
Response: responding to the information security incident incident

Response Lifecycle Table

Phase	Action	Goal
1. Containment	Isolate infected server (disconnect network).	Stop the bleeding.
2. Eradication	Remove malware / Close vulnerability.	Clean the wound.
3. Recovery	Restore from backup / Restart services.	Get back to work.
4. Communication	Notify Data Subject / Regulator (72h rule).	Legal compliance.

How to comply

To comply with ISO 27001 Annex A 5.26 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

Document your information security incident response process
Assign and document the roles and responsibilities involved in the information response process
Communicate the incident response processes that those that need to know about it
Implement appropriate controls to mitigate, monitor and report on information security incidents
Monitor and review the information security incident response effectiveness

How to pass an ISO 27001 Annex A 5.26 audit

To pass an audit of ISO 27001 Annex A 5.26 Information security incidents should be responded to in accordance with the documented procedures you are going to make sure that you have followed the steps above in how to comply.

Have a documented information security incident management plan.
Implement the information security incident management plan.
Monitor the effectiveness of the information security incident management plan.
Review and update the information security incident management plan as needed.

What the audit will check

The audit is going to check a number of areas. Lets go through the main ones

1. That you have documented your roles, responsibilities and process

The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.

2. That you can demonstrate the process working

They are going to ask you for evidence to the incident response process and take one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.

3. That you can learn your lesson

Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked. They want to see that not only did you respond but that you learnt from it and did something to improve that reduced or eliminated the possibility of it happening again.

Top 3 ISO 27001 Annex A 5.26 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.26 are

1. Not having a documented information security incident response plan.

This is the most common mistake made by organisations. A documented information security incident response plan is essential for effective incident response. It should include the following:

A process for identifying information security incidents.
A process for assessing the impact of information security incidents.
A process for prioritising information security incidents.
A process for responding to information security incidents.
A process for recording information security incidents.

2. Not implementing the information security incident response plan.

Even if you have a documented information security incident response plan, it is not enough to simply have the plan. The plan must be implemented in order to be effective. This means assigning responsibility for implementing the plan, providing training on the plan, and testing the plan.

3. Not monitoring the effectiveness of the information security incident response plan.

Once the information security incident response plan is implemented, it is important to monitor its effectiveness. This means reviewing reports of information security incidents, conducting audits of the plan, and taking corrective action as needed.

By avoiding these mistakes, you can ensure that you have an effective information security incident management plan in place.

Why is ISO 27001 Response to Information Security Incidents Important?

As the saying goes, shit happens. It is facts of life. No system or security is 100% We cannot be on the back foot when the inevitable happens and effective incident management can eliminate or reduce the impact of information security incidents.

ISO 27001 Annex A 5.26 Response to information security incidents is important because it provides guidance on how to manage information security incidents. Information security incidents can have a significant impact on an organisation, so it is important to have a plan in place for how to respond to them. The guidance in ISO 27001 Annex A 5.26 can help you to develop and implement an effective information security incident response plan.

The following are some of the benefits of having an effective information security incident response plan:

It can help to reduce the impact of information security incidents.
It can help to protect the organisations reputation.
It can help to comply with legal and regulatory requirements.
It can help to improve the organisations overall information security posture.

Fast Track ISO 27001 Annex A 5.26 Compliance with the ISO 27001 Toolkit

Own Your ISMS, Don’t Rent It

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

For ISO 27001 Annex A 5.26 (Response to information security incidents), the requirement is to respond to incidents according to documented procedures. This is a corrective control that ensures your response is efficient and effective, minimizing damage through containment, eradication, and recovery.

While SaaS compliance platforms often try to sell you “automated incident ticketing” or complex “response orchestration” dashboards, they cannot actually physically isolate an infected server or ensure you’ve notified a regulator within the mandatory 72-hour window, those are human investigative and legal tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the response framework you need to manage incidents effectively without a recurring subscription fee.

1. Ownership: You Own Your Response Procedures Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your response steps and store your incident logs inside their proprietary system, you are essentially renting your own emergency procedures.

The Toolkit Advantage: You receive the Incident Response Plan and Response Lifecycle Table in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as specific containment and recovery steps), ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Real-World Response

Annex A 5.26 is about following a plan when things go wrong. You don’t need a complex new software interface to manage what a simple checklist or a well-documented “Crisis Management Plan” already does perfectly.

The Toolkit Advantage: Your IT team already knows how to restore backups and patch vulnerabilities. What they need is the governance layer to prove to an auditor that these actions are formal, tracked, and part of a broader response strategy. The Toolkit provides pre-written procedures and “Response Lifecycle Tables” that formalize your existing technical work into an auditor-ready framework, without forcing your team to learn a new software platform just to log a server restoration.

3. Cost: A One-Off Fee vs. The “Incident Volume” Tax

Many compliance SaaS platforms charge based on the number of “logged incidents” or “active responders” you track. For a control that must apply to every security breach, these monthly costs can scale aggressively for very little added value.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you respond to 2 incidents a year or 20, the cost of your Incident Response Documentation remains the same. You save your budget for actual security technology (like better forensics tools) rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Crisis Strategy

SaaS tools often mandate specific ways to report on and monitor the response to incidents. If their system doesn’t match your unique technical environment or your specialized “72-hour” regulatory reporting window, the tool becomes a bottleneck.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Response Procedures to match exactly how you operate, whether you use a dedicated Security Operations Center (SOC) or a lean IT team. You maintain total freedom to evolve your crisis strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For Annex A 5.26, the auditor wants to see that you have a formal process for responding to incidents and proof that you follow it (e.g., incident logs and evidence of containment). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.26 FAQ

What is ISO 27001 Annex A 5.26?

ISO 27001 Annex A 5.26 is an ISO 27001 control that requires organisations to responded to information security incidents in accordance with the documented procedures.

What are the steps involved in information security incident response?

The 3 steps in information security incident response are:
Identification: identifying the information security incident
Assessment: assessing and prioritising the information security incident
Response: responding to the information security incident incident

What types of information security security incidents are there?

The most common types of information security incidents are
1. Accidental Incidents
2. Malicious Incidents
3. Natural Disaster / Environmental Incidents

Do I have to satisfy ISO 27001 Annex A 5.26 Response to information security incidents for ISO 27001 Certification?

Yes. It is required for ISO 27001.

Where can I get templates for ISO 27001 Annex A 5.26 Response to information security incidents?

ISO 27001 templates that support ISO 27001 Annex A 5.26 Response to information security incidents are located here in the ISO 27001 Toolkit.

How hard is ISO 27001 Annex A 5.26 Response to information security incidents?

ISO 27001 Annex A 5.26 is not hard.

How long will ISO 27001 Annex A 5.26 Response to information security incidents take me?

ISO 27001 Annex A 5.26 will take approximately 1 week to complete if you are starting from nothing and doing it yourself.

Are there free templates for ISO 27001 Annex A 5.26?

There are templates that support ISO 27001 Annex A 5.26 located here in the ISO 27001 Toolkit.

What are the roles and responsibilities involved in information security management?

Typically they are:
Incident Manager: Managing and coordinating the incident
Incident Response Team: the people responding to the incident
The Legal Team: providing legal advice
The Information Security Team: maintaining the confidentiality, integrity and availability of data.
Communications Team: keeping interested parties appropriately informed

What are some common mistakes that organisations make when complying with ISO 27001 Annex A 5.26?

Not having a documented information security incident response plan
Not implementing the information security incident response plan
Not monitoring the effectiveness of the information security incident response plan
Not having a process for identifying information security incidents
Not having a process for assessing the impact of information security incidents
Not having a process for prioritizing information security incidents
Not having a process for responding to information security incidents
Not having a process for recording information security incidents

What is the Information Security Assessment Formula?

Impact x Urgency = Priority

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Annex A 5.25 Assessment And Decision On Information Security Events

ISO 27001 Annex A 5.24 Information Security Incident Management Planning and Preparation

ISO 27001 controls and attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Corrective	Confidentiality	Respond	Information Security Event Management	Defence
	Integrity	Recover
	Availability

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents