Control 5.27 : Learning from Information Security Incidents

Summary

Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. This ensures that the organization evolves its defenses based on real-world data rather than remaining static after a recovery.

Applicability

In-Scope: Mandatory for the continuous improvement requirement of ISO 27001. It is critical for ensuring that root causes are addressed so that the same vulnerability cannot be exploited twice.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Post-Incident Analysis: Use Microsoft Sentinel to review the full attack story and identify the specific configuration gaps that allowed the incident to occur.

• Policy Updates: Revise Conditional Access policies or Safe Links settings in Microsoft Defender for Office 365 based on the tactics, techniques, and procedures (TTPs) observed during the incident.

• Reporting: Use Microsoft Power BI or SharePoint to track incident trends and present lessons learned reports to management for resource allocation.

Evidence Checklist

• Post-Incident Review (PIR) Reports: Documentation of meetings held after an incident to analyze what happened and why.

• Action Plans: Evidence of specific security tasks or configuration changes created as a result of an incident.

• Control Improvements: Proof that technical controls were updated following an incident review.

Practical Audit Advice

Here are some questions the auditor might ask:

• Can you provide an example of a security improvement that was implemented specifically because of a previous incident?

• Who is involved in the post-mortem process, and how are the findings communicated to top management?

• How does the organization track the completion of remedial actions identified after an incident?

• What process is in place to share these lessons with the wider staff to improve security awareness?