Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Information security incidents shall be responded to in accordance with the documented procedures.”
Plain-language meaning
Once an event is categorized as an incident, the organization must respond using documented procedures rather than improvising.
Why this matters
Incident response involves technical, business, legal, communication, evidence, recovery, and management decisions. Documented procedures keep response coordinated and defensible under pressure.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
- Document incident response procedures for likely scenarios such as ransomware, account compromise, data leakage, lost device, supplier breach, cloud incident, and service outage.
- Assign response responsibilities, escalation authority, communications ownership, and evidence preservation duties.
- Decide early whether evidence collection or legal defensibility is required because that changes how systems, logs, images, and communications should be handled.
- Record incident actions, decisions, approvals, containment, eradication, recovery, communication, and closure.
- Use management control for major decisions such as service shutdown, customer notification, regulator contact, legal hold, or supplier escalation.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that incident procedures exist, responsibilities are defined, and sampled incident records show response activities followed the documented process.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Incident records map to documented procedure steps | Shows the process is defined, operated, or reviewed |
| Roles and responsibilities are visible in the response record | Shows the process is defined, operated, or reviewed |
| Containment, eradication, recovery, communication, and closure decisions are timestamped | Shows the process is defined, operated, or reviewed |
| Evidence collection decisions are made early and recorded | Shows the process is defined, operated, or reviewed |
| Management approval is present for high-impact decisions | Shows the process is defined, operated, or reviewed |
Strong evidence
- Incident records map to documented procedure steps.
- Roles and responsibilities are visible in the response record.
- Containment, eradication, recovery, communication, and closure decisions are timestamped.
- Evidence collection decisions are made early and recorded.
- Management approval is present for high-impact decisions.
Weak evidence
- A plan exists but incidents are handled entirely in chat.
- No timestamps or decision log.
- No evidence of containment or recovery validation.
- Responsibilities are unclear during response.
- Evidence needs are considered only after systems are changed.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Procedures are too generic to guide real response. | Responders improvise during high-pressure incidents |
| No nominated contact or reporting line. | Incidents are delayed or routed to the wrong people |
| Response actions are not recorded. | Management cannot reconstruct decisions or prove control |
| Legal/privacy/comms are involved too late. | Regulatory, customer, and public communication risks increase |
| Teams destroy evidence while trying to restore service. | Investigation, legal action, and root-cause analysis can fail |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.26 is response execution, not planning only.
- Documented procedures are required; heroic ad hoc response is weak.
- Evidence collection must be considered early.
- All follow-up activities should be recorded.
- Management control matters for significant incidents.
Related controls and concepts
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.25 Assessment and Decision on Information Security Events
- A.5.27 Learning from Information Security Incidents
- A.5.28 Collection of Evidence
- Incident Management Plan
- Corrective Action Tracker
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.26 requires a controlled part of the incident-management lifecycle: Once an event is categorized as an incident, the organization must respond using documented procedures rather than improvising. In practice, this means defined criteria, assigned ownership, recorded decisions, operating evidence, and improvement links back into the ISMS.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Incident management
- Audit
- Incident response
Note Metadata
Aliases: A.5.26, Response to Information Security Incidents
Source: 02 Annex A Organizational Controls/A.5.26 Response to Information Security Incidents.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
8
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- A.5 Organizational Controls MOC
- ISO 27001 A.6.8 - Information Security Event Reporting
- ISO 27001 A.7.4 - Physical Security Monitoring
- A.5.26 Audit Evidence Pack
- A.8.16 Audit Evidence Pack
- AQ-ISO27001-A.5.26 Response to Information Security Incidents
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.26 Response to Information Security Incidents
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-011 - Incident Management Lifecycle
- EXAM-034 - Monitoring Activities
- ISO 27002 Annex A Control Interpretation Map
- A.5.26 Audit Checklist
- Configuration Drift Alert Review Record
- Template - Corrective Action Tracker
- DLP Alert Review and Tuning Log
- Emergency Privileged Access Record
- Endpoint Loss or Theft Response Checklist
- Evidence Collection and Chain of Custody Log
- Incident Management Plan
- Incident Response Record
- Information Security Event Report Form
- Log Review and Alert Triage Record
- Logging and Monitoring Standard
- Malware Infection Response Record
- Monitoring Detection Use Case Register
- Network Monitoring and Corrective Action Register
- Out-of-Hours Monitoring Escalation Checklist
- Privacy Breach Notification Readiness Checklist
- Annex A Controls MOC