Document ID: ISMS-POL-004 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Chief Information Security Officer
Purpose and Scope
This policy establishes the framework for identifying, reporting, assessing, responding to, and learning from information security incidents at [Organisation Name], in accordance with ISO/IEC 27001:2022 Annex A controls 5.24β5.28.
It applies to all employees, contractors, and third parties who may detect, experience, or respond to a security incident. It covers all information assets within the ISMS scope, including client environments where the organisation provides managed security services.
1. Definitions
| Term | Definition |
|---|---|
| Security Event | Any observed occurrence in a system or network that may be relevant to security β not yet confirmed as an incident |
| Security Incident | A security event that has been confirmed to have caused (or is likely to cause) compromise, disruption, unauthorised access, or policy violation |
| Data Breach | A security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data |
| Near Miss | A situation that had the potential to become an incident but was prevented or averted before harm occurred |
2. Incident Classification
All confirmed security incidents are assigned a severity rating at the time of detection. The ISM is responsible for initial severity assignment; the CISO may reassign severity as more information becomes available.
| Severity | Definition | Examples | Initial Response Time | Escalation |
|---|---|---|---|---|
| P1 β Critical | Active breach in progress; data exfiltration likely or confirmed; critical system unavailable; ransomware infection active | Ransomware encryption of production systems; confirmed unauthorised access to client data; complete SOC platform outage; active command-and-control communication from internal host | Immediate β within 15 minutes of detection | CISO notified within 30 minutes; CEO notified within 1 hour; legal counsel engaged within 2 hours; client notification within 4 hours if client data affected |
| P2 β High | Confirmed security incident; contained but with high potential for further impact | Phishing attack with confirmed credential compromise (account isolated); malware detected and quarantined; DDoS attack causing service degradation; insider data theft discovered | Within 1 hour of detection | CISO notified within 1 hour; management team notified within 4 hours; client notification within 24 hours if client data may be affected |
| P3 β Medium | Suspicious activity confirmed; low immediate impact; investigation ongoing | Repeated failed login attempts from suspicious IP (not yet successful); suspicious login from unusual geographic location; confirmed policy violation by staff member; unauthorised software found on endpoint | Within 4 hours of detection | ISM notified within 4 hours; CISO notification same business day; log and investigate |
| P4 β Low | Potential security event; requires investigation to determine if an incident; no immediate impact | User reports suspected phishing email (not clicked); unusual system behaviour under investigation; minor acceptable use violation; spam emails bypassing filter | Next business day | ISM logs and investigates; CISO informed at next weekly security update |
3. Incident Reporting Procedure
How to Report:
- Email:
security@[organisation-domain].com(monitored 24/7 by SOC team) - Phone:
[Security Hotline Number](for P1/P2 only; available 24/7) - Service Desk: Submit a security incident ticket via the IT service desk portal
- Direct: Contact the ISM or any CISO team member directly for urgent incidents
What to Include in Your Report:
- What you observed (describe in plain language β do not use technical jargon)
- When you first noticed the issue (date and time, as accurately as possible)
- Which systems, files, or accounts appear to be affected
- What you did in response, if anything (e.g., βI closed the browserβ, βI shut down the laptopβ)
- Your contact details and availability
No-Blame Culture: The organisation operates a no-blame culture for security incident reporting. Staff who promptly and honestly report incidents will not face disciplinary action solely as a result of having reported. Delayed or concealed reports cause significantly more harm than the original incident β prompt reporting is always the right action.
4. Incident Response Phases
Phase 1 β Identify
- Detect the incident through monitoring, user report, or automated alert.
- Confirm it is a genuine incident (not a false positive).
- Assign an Incident ID and record in the Incident Register.
- Assign a severity rating per Section 2.
- Appoint an Incident Lead (ISM for P3/P4; CISO for P1/P2).
- Notify stakeholders per the escalation schedule.
Phase 2 β Contain
- Isolate affected systems to prevent lateral movement or further data loss (network isolation, account lockout, revoking API keys as appropriate).
- Preserve all evidence before taking containment actions where possible: take memory dump, capture live logs, photograph screens.
- Do not reboot or power off systems unless there is active data destruction in progress β forensic evidence may be lost.
- Apply temporary blocks (firewall rules, DNS sinkholing) to stop ongoing attacker communication.
- Document every containment action taken with timestamp and operator name.
Phase 3 β Eradicate
- Identify and remove the root cause: delete malware, close the exploited vulnerability, revoke compromised credentials.
- Identify the attack vector and confirm it has been closed β not just the symptoms.
- Apply emergency patches or configuration changes as required via expedited change management.
- Conduct a thorough scan of all potentially affected systems before proceeding to recovery.
- Confirm with the CISO that eradication is complete before beginning recovery.
Phase 4 β Recover
- Restore affected systems from a verified clean backup taken prior to the incident.
- Validate restored systems for integrity before reconnecting to the network (check file hashes, run AV/EDR scan, review logs).
- Reintroduce systems to production in a phased manner; monitor closely for 72 hours post-recovery.
- Communicate restoration status to clients and stakeholders with estimated timelines.
- Confirm service continuity and that all affected services are operating normally before declaring the incident resolved.
Phase 5 β Communicate
- Notify affected clients if their data may have been accessed, disclosed, or lost β do not delay notification while investigating; provide what is known and commit to updates.
- Notify regulators within the required timeframe if the incident constitutes a reportable data breach (see Section 7).
- Provide regular status updates to senior management throughout P1/P2 incidents (minimum every 2 hours until resolved).
- Prepare external communications (press statement, client notification letter) with legal review before release.
- Update the incident register with all communications sent and received.
Phase 6 β Review
- Conduct a Post-Incident Review (PIR) within 5 business days of incident resolution for P1 and P2 incidents; within 10 business days for P3.
- The PIR is blameless and focuses on systems and processes, not individuals.
- Produce a PIR report and raise corrective actions in the NC/CA register for each identified improvement.
- Present PIR findings at the next Management Review; ensure lessons learned feed into control updates.
5. Evidence Preservation Checklist
Proper evidence preservation is critical for forensic investigation, legal proceedings, and regulatory compliance. The Incident Lead is responsible for ensuring evidence is collected and protected.
- Preserve system logs before they are overwritten β collect from SIEM and from individual systems
- Photograph the screens of affected systems before any interaction or shutdown
- Capture a memory dump from affected live systems if technically feasible and safe to do so
- Document the chain of custody for every piece of evidence: who collected it, when, where it was transferred, and who has access
- Store forensic copies in a write-protected or read-only location (e.g., write-protected drive, forensic image with hash verification)
- Do not run antivirus scans or remediation tools on forensic copies β run these on live systems only
- Record all hash values (SHA-256) for forensic images at the time of collection
- Do not conduct investigation or analysis on the original evidence β always work from copies
- Preserve email headers and full raw email content for phishing investigations
- Retain all evidence for a minimum of 12 months or until legal / regulatory proceedings are concluded, whichever is longer
6. Post-Incident Review Template
| Field | Response |
|---|---|
| Incident ID | [e.g., INC-2026-003] |
| Date of Incident | [Date first detected] |
| Date Resolved | [Date declared resolved] |
| Severity | [P1 / P2 / P3 / P4] |
| Summary | [2β4 sentences describing what happened] |
| Root Cause | [What was the underlying cause β not just the symptom] |
| Attack Vector | [How did the attacker or event gain access or cause harm] |
| Timeline | Detection: [time] β Containment: [time] β Eradication: [time] β Recovery: [time] β Resolution: [time] |
| Systems Affected | [List affected systems, applications, and data] |
| Data Exposure | [Was personal data or client data potentially exposed? If yes, what data, how many records?] |
| Client Impact | [Were clients affected? Were SLAs breached?] |
| What Worked Well | [Controls, processes, or team actions that functioned as intended] |
| What Could Improve | [Areas where the response was slower, harder, or less effective than it should have been] |
| Corrective Actions Raised | [List NC/CA IDs raised as a result of this incident] |
| Regulatory Notification Required | [Yes / No β which regulation, deadline, submitted by whom] |
| Lessons Applied to Controls | [Which controls or procedures have been updated based on this incident] |
| PIR Completed By | [Name, Role] |
| PIR Date | [Date of PIR meeting] |
7. Regulatory Notification Requirements
| Regulation | Trigger | Notification Deadline | Notify Whom |
|---|---|---|---|
| GDPR (EU client or employee data) | Personal data breach that is likely to result in a risk to the rights and freedoms of individuals | Within 72 hours of the organisation becoming aware of the breach | Lead supervisory authority (e.g., ICO for UK; relevant EU DPA for EU data subjects) |
| Privacy Act 1988 / NDB Scheme (Australian data) | Eligible Data Breach β unauthorised access to, or disclosure of, personal information that is likely to result in serious harm | As soon as practicable; no longer than 30 days after the organisation is aware or reasonably ought to have been aware | Office of the Australian Information Commissioner (OAIC) and affected individuals |
| Contractual obligations | As specified in each client contract (typically: any incident affecting client data or service delivery) | Per contract terms β typically 24β72 hours of becoming aware | Affected client(s) β contact name in contract; account manager to coordinate notification |
| Cyber insurance policy | As specified in the policy (typically: any incident likely to trigger a claim) | Within 24β48 hours of becoming aware β check policy terms | Insurerβs breach response hotline and claims team |
| PCI DSS (if payment card data involved) | Any confirmed or suspected compromise of payment card data | Immediately upon confirmation | Card brands (Visa, Mastercard) and acquiring bank |
8. Incident Register Fields
The Incident Register is maintained by the ISM and retained for a minimum of 3 years.
| Field | Description |
|---|---|
| Incident ID | Unique identifier (e.g., INC-2026-001) |
| Date Detected | Date and time the incident was first observed |
| Date Reported | Date and time the incident was formally reported to the security team |
| Reported By | Name and role of person who reported |
| Severity (Initial / Final) | P1βP4; may change during investigation |
| Description | Brief description of the incident |
| Systems / Data Affected | List of impacted assets |
| Incident Lead | Named person responsible for managing the response |
| Status | Open / Contained / Resolved / Closed |
| Date Resolved | Date declared resolved |
| PIR Completed | Yes / No / Not Required (P4) |
| Regulatory Notification | Yes / No / Pending β details |
| Corrective Actions | CA IDs raised from this incident |
9. Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [CISO Name] | Initial issue |