在ISO 27001:2013 與ISO 27001:2005差異比較#4說明新版ISO27001/27002新增了12項控制措施(controls),將一一進行解說與分享:
16.1.5 Response to information security incidents
資訊安全事故的回應
Control 控制措施
Information security incidents should be responded to in accordance with the documented procedures.
資訊安全事故宜依文件化的程序進行回應。
Implementation guidance實作指引
Information security incidents should be responded to by a nominated point of contact and other relevant persons of the organization or external parties (see 16.1.1).
The response should include the following:
a) collecting evidence as soon as possible after the occurrence;
b) conducting information security forensics analysis, as required (see 16.1.7);
c) escalation, as required;
d) ensuring that all involved response activities are properly logged for later analysis;
e) communicating the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;
f ) dealing with information security weakness(es) found to cause or contribute to the incident;
g) once the incident has been successfully dealt with, formally closing and recording it.
Post-incident analysis should take place, as necessary, to identify the source of the incident.
新版的ISO 27001/27002提及要有文件化的程序, 對資訊安全事故進行回應, 包括在發生事故後儘快蒐集證據, 如果需要時, 可進行資訊安全鑑識分析...等.