An important component of information security management systems (ISMS) is the identification and management of information security incidents.

On the one hand, all impairments to the management system are tracked and dealt with in a structured manner as part of incident management and, on the other hand, the analysis of incidents can often be used to better adapt or improve the management system. Continuous improvement of the ISMS is usually also a requirement of management systems per se.

In particular, root cause analyzes of events can be incorporated into risk management or result in the adaptation of guidelines or processes. As soon as an ISMS has reached a certain level of maturity or external requirements have to be fulfilled explicitly, a distinction should be made between different types of events.

Attempt at classification

Various classes of events can be defined. As soon as the management systems reach a certain level of complexity or there is a correspondingly high occurrence of events, events should be categorized into levels or “criticalities”. For example, a classification based on the level of impact could be used. Please bear in mind that a classification of events must be adapted to the respective organization and its individual requirements.

Events

Information security events are often the lowest-threshold class of events. Business processes are affected negligibly or only very slightly.

Incidents

Incidents are events whose impact on business processes has reached such an extent that structured handling and root cause analysis is required. Some incidents contain a time-relevant component - without prompt handling, they can escalate further and possibly become a threat to business operations.

Incidents to be reported

Incidents with an obligation to be reported are incidents whose impact or impairment of business processes is so severe and extensive that a reporting obligation is triggered. This reporting obligation can, for example, result from contractual agreements if your own organization is part of a supply chain. There may also be an obligation to report to a higher-level group structure or to supervisory authorities. In Germany, for example, there is currently an obligation to report to the relevant office of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) in the context of critical infrastructures.

Emergencies

It can happen that the transitions from serious incidents to emergencies are fluid. It is therefore advisable to link incident and event management from the ISMS with the BCMS (Business Continuity Management System). With a good interface between the two management systems, a transition can be made with the least possible loss of time so that emergency plans can be put into action as quickly as possible and the effects of emergencies can be contained as quickly as possible. Emergencies usually mean that critical business processes have been catastrophically disrupted and business operations have come to a standstill, at least in part.

Notes

When setting up and operating an ISMS, it also makes sense to analyze the requirements of the organization and adapt the management of events in the ISMS when classifying events. If management of IT events or data protection events exists in an organization, these should be analyzed when designing the information security event management.

As part of continuous improvement, changes to the event management processes of organizational units should also be continuously considered over time and integrated into the incident management of the ISMS if necessary.