Exam focus
The exam can split incident management into readiness, triage, response, learning, and evidence. Do not collapse all of these into one generic incident plan.
Topic Summary
A.5.24 to A.5.28 form a practical lifecycle for incident management. Each control tests a different part of the lifecycle.
Key Concepts
| Control | Exam cue |
|---|---|
| A.5.24 | Plan and prepare before incidents happen |
| A.5.25 | Assess events and decide whether they are incidents |
| A.5.26 | Respond to incidents using documented procedures |
| A.5.27 | Use incident knowledge to improve controls |
| A.5.28 | Collect and preserve evidence properly |
Common Exam Traps
- Treating every security event as an incident.
- Treating incident response as the same thing as incident planning.
- Forgetting lessons learned and corrective action.
- Collecting evidence without chain of custody.
- Waiting until after response to decide whether evidence matters.
Related Notes
- Iso27001
- Exam
- Incident management
Note Metadata
Source: 09-Exam-Preparation/EXAM-011-Incident-Management-Lifecycle.md
Related Notes
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence