Breach is an information security event involving the compromise of data confidentiality, integrity, or availability. The Primary Implementation Requirement involves formalised incident management under Annex A 5.24, providing the Business Benefit of reduced financial impact, regulatory compliance with UK GDPR, and preserved organisational reputation during security failures.
What is a Breach?
A breach, in the context of information security, is a security event where the confidentiality, integrity, or availability of an information asset has been compromised. It’s often the result of a successful cyber attack or an internal mistake, leading to unauthorised access, disclosure, or destruction of information.
Types & Examples
- Data Breach: The most common type, involving the unauthorised exposure of sensitive information.
- Example: A hacker gains access to a database and steals customer credit card numbers.
- Confidentiality Breach: Unauthorised disclosure of information.
- Example: An employee accidentally emails a confidential report to a competitor.
- Integrity Breach: The unauthorised modification or destruction of data.
- Example: A virus corrupts a company’s financial records, or an unauthorised user alters a patient’s medical history.
- Availability Breach: A disruption that makes information or systems unavailable.
- Example: A distributed denial-of-service (DDoS) attack that takes down a company’s website, preventing customers from accessing online services.
Context
While the ISO 27001 standard itself doesn’t use the term “breach” as frequently as “incident,” it is a severe type of information security incident. The standard’s requirements for incident management (ISO 27001 Annex A 5.24 Information Security Incident Management Planning and Preparation), assessing incidents (ISO 27001 Annex A 5.25 Assessment And Decision On Information Security Events, responding to incidents (ISO 27001 Annex A 5.26 Response To Information Security Incidents) and learning from incidents (ISO 27001 Annex A 5.27 Learning From Information Security Incidents) are designed to help organisations prepare for, detect, and respond to breaches effectively, minimising their impact.
| Related ISO 27001 Control | Relationship Description |
|---|---|
| ISO 27001 Annex A 5.24: Incident Management Planning | Preparation: Defines the processes, roles, and responsibilities needed to prepare for a breach before it occurs. |
| ISO 27001 Annex A 5.25: Assessment of Security Events | Triage: The process of evaluating security events to determine if they qualify as a confirmed breach or incident. |
| ISO 27001 Annex A 5.26: Response to Incidents | Execution: The operational guide for containing a breach, recovering services, and meeting legal notification windows. |
| ISO 27001 Annex A 5.27: Learning from Incidents | Prevention: Focuses on performing Root Cause Analysis (RCA) after a breach to improve controls and prevent recurrence. |
| ISO 27001 Annex A 5.20: Supplier Security Agreements | Third-Party Risk: Mandates that suppliers notify the organization of a breach within a specific contractual timeframe. |
| ISO 27001 Annex A 6.4: Disciplinary Process | Accountability: Outlines the consequences and formal actions taken against personnel who cause a breach through negligence or policy violation. |
| ISO 27001 Annex A 5.29: Security During Disruption | Resilience: Ensures security controls aren’t bypassed during outages, which could lead to a secondary data breach. |
| Glossary: Learning From Information Security Incidents | Concept Definition: Defines the specific terminology and process of reviewing a breach to turn a negative event into a learning experience. |
| Glossary: Contact with Authorities | Compliance: Covers the requirement to report data breaches to government agencies (like the ICO) or the police. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where the “Breach” term is categorized alongside other foundational ISO 27001 definitions. |
How to implement Breach
Implementing a formalised response to an information security breach is a mandatory requirement under ISO 27001, specifically addressing Annex A 5.24 through to 5.28. As a Lead Auditor, I have seen that the difference between a minor incident and a catastrophic non-conformity is the speed and technical precision of the containment. Following this 10-step roadmap ensures your organisation can detect, contain, and report breaches while maintaining the integrity of the Information Security Management System (ISMS).
1. Preparation and Technical Detection
- 1. Provision technical monitoring and SIEM tools: Deploy centralised logging and Security Information and Event Management (SIEM) systems, resulting in the real-time detection of anomalous traffic and potential unauthorised access attempts.
- 2. Formalise the Incident Response Plan (IRP): Document a specific playbook for different breach types, resulting in a repeatable set of technical actions that reduce the “Time to Identify” (TTI) for security personnel.
2. Triage and Immediate Containment
- 3. Execute high-speed triage and classification: Categorise the breach based on the sensitivity of the data affected in your Asset Register, resulting in the correct prioritisation of technical resources and management attention.
- 4. Revoke compromised credentials and sessions: Implement immediate session termination and password resets via your IAM platform, resulting in the isolation of the threat actor and the prevention of further lateral movement.
3. Evidence Preservation and Forensics
- 5. Provision forensic image captures: Secure bit-for-bit copies of affected storage media and volatile memory, resulting in the preservation of evidence that is required for both legal proceedings and root cause analysis.
- 6. Audit system logs for persistence mechanisms: Scan all scoped assets for backdoors or undocumented scheduled tasks, resulting in the total eradication of the threat actor’s foothold within the network boundary.
4. Regulatory and Statutory Notification
- 7. Execute statutory notifications within 72 hours: Notify the Information Commissioner’s Office (ICO) or relevant regulators if personal data is involved, resulting in compliance with UK GDPR and preventing significant financial penalties.
- 8. Formalise stakeholder communication channels: Provision clear, approved messaging for clients, investors, and the public, resulting in the protection of organisational reputation and the fulfilment of contractual notification duties.
5. Recovery and ISMS Refinement
- 9. Conduct a technical Root Cause Analysis (RCA): Perform a deep-dive investigation into how the breach occurred, resulting in the identification of the specific technical or behavioural control failure that allowed the event.
- 10. Audit and update the ISMS based on lessons learned: Revise your risk assessment and update security configurations, resulting in a strengthened security posture and the “Continuous Improvement” required for ISO 27001 certification.
Breach FAQ
What is an information security breach in the context of ISO 27001?
An information security breach is a confirmed incident where sensitive, protected, or confidential data is accessed, disclosed, or modified by an unauthorised entity. Within an ISO 27001 framework, a breach signifies a breakdown in the confidentiality, integrity, or availability (CIA) of information assets, necessitating immediate invocation of the organisation’s incident response procedures.
How much does a data breach cost an organisation?
The average global cost of a data breach in 2024 is £3.8 million, representing a 10% increase over previous years. Organisations with a fully deployed ISO 27001 ISMS typically save £1.2 million in breach-related costs due to faster identification and containment times, which average 200 days globally.
What are the reporting requirements for a breach under ISO 27001?
ISO 27001 Annex A 5.24 mandates that all information security incidents are reported through established management channels as quickly as possible. Organisations must maintain a formal log of 100% of reported breaches, documenting the nature of the event, the remediation steps taken, and the subsequent “lessons learned” to ensure continuous improvement.
How does the ISO 27001 breach process align with UK GDPR?
The ISO 27001 incident management process directly supports the UK GDPR requirement to notify the ICO within 72 hours of becoming aware of a personal data breach. By implementing these technical controls, organisations ensure they have the monitoring capabilities to detect 100% of significant security events before the statutory reporting deadline expires.
Can an incident response plan reduce breach impact?
Yes, a tested incident response plan reduces the financial impact of a breach by approximately 25% compared to organisations with no formal procedures. ISO 27001 requires regular testing of these plans to ensure that 100% of critical personnel understand their roles, thereby minimising operational downtime and legal liability following a security failure.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
