Last updated at Wed, 13 Dec 2017 15:56:30 GMT


In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” I reviewed incident response life cycle, as defined and described in NIST and ISO standards related to incident management.

I introduced these standards and started the review of NIST SP 800-61 in the first article in this series. The review of ISO/IEC 27035 started here.

In this article, I’m attempting a short comparison of these standards and concluding this series of articles.

Main similarity – cyclic approach

Both standards base incident management on cyclic approach. This is critical for effective incident management. Let’s shortly compare the incident management cycles proposed in these standards.

Incident management cycle in NIST SP 800-61:

  • Preparation
  • Detection and analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity

Incident management cycle in ISO/IEC 27035:

  • Plan and Prepare
  • Detection and Reporting
  • Assessment and Decision
  • Responses
  • Lessons Learnt

As I mentioned in one of the articles in this series, generally any security management process should be based on so-called Deming cycle – PDCA (Plan, Do, Check, Act). This process is the basis of all so-called ISO “quality management” standards, all 27000 series standard belong to this group. As one can see, both NIST 800-61 and ISO/IEC 27035 are also based on Deming cycle. Such approach – if implemented correctly – guarantees constant improvement of processes.

Differences in cycle phase names

As one can see, the cycles are similar, but there are also important differences in cycle phase names.

NIST SP 800-61 emphasizes analysis together with detection. ISO/IEC 27035-2 emphasizes reporting together with detection. Both cycles contain analysis and reporting, but in my opinion, the difference is significant. By emphasizing reporting, ISO standard stresses the importance of incident communication. Sharing of incident information is sometimes critical for incident containment. NIST guide also contains a dedicated chapter on information sharing (and I also wrote a separate article on that), but in my opinion emphasizing reporting in cycle phase name helps to increase awareness on this matter.

ISO standard does not define (in cycle phase name, of course) what a response consists of. In my opinion, NIST guide is more clear here, indicating three sub-phases of incident response: containment, eradication, and recovery.

On the other hand, ISO standard emphasizes “lessons learned” phase which is important in terms of “mental awareness” of a very important part of incident management cycle – learning from incidents.

It is important to remember that if you are not strictly implementing the ISO standard, but just using it as a guide, you can define your own cycle phase names. They should be easy to memorize and should put emphasis on the elements that your organization believes are most important.

Incident response team and procedures

Both standards give detailed recommendations on incident response team and incident management policies and procedures. In my opinion, these two elements are critical for effective incident management – not the technical tools. So if you start building incident handling capabilities at your organization, concentrate on these two first. Constantly improved standard operating procedures will help your team be effective. They can also help automate part of the tasks.

Incident handling check-list in NIST guide

NIST 800-61 contains a very practical item – the incident handling check-list. It contains nine easy to understand steps of incident handling. This checklist might be the most important first takeaway for you from this guide. It is simple to use and can be used straight away. Of course, incident response team (or person) needs to know how to execute steps contained in this checklist, e.g. how to “Identify and mitigate all vulnerabilities that were exploited”.

Incident categorization and classification guidelines in ISO/IEC 27035

ISO/IEC 27035 is definitely more detailed in terms of incident categorization and classification. This might be of more use for medium and large organizations, where more incidents will most probably happen and where more detailed statistical analysis is needed of historical events. These classification guidelines are detailed, they contain exact formulas and clear explanation. So they can be applied almost directly (after filling in e.g. dollar values for business losses parameters).

Differences in information sharing approach

ISO/IEC 27035 does not put much emphasis on information sharing. It is concentrated more on an organization itself. However, one needs to remember that there are regulations, recommendations and even legal requirements in the US and in Europe that require an organization to share information on incidents. I wrote about these requirements and guidelines in an article on European perspective on cybersecurity information sharing and in an article on automated cybersecurity information sharing with DHS AIS system. So when preparing policies and procedures for incident management, do not forget about information sharing.


There’s no “better” or “worse” standard for incident management.

In my personal opinion, the NIST guide is a bit more technical, while the ISO standard is more procedural.

As indicated before, if your organization operates in an international environment, an ISO standard might be easier to accept as common “incident management” language.

What is most important, if you think seriously about incident management, you should consider implementing (or at least consider seriously analyzing) one of these standards, or both. Even if it is not possible for your organization to implement such standard, the knowledge contained in them can strongly help you organize your incident management team, policies, procedures and tools.

In terms of practical approach, in my opinion, it is best to get to know both the ISO standard and the NIST guide and use what they both offer, by compiling their recommendations to suit best the needs and character of your organization.

This article concludes my review of currently available standardized guidelines on cybersecurity incident management: NIST SP 800-61 and ISO/IEC 27035.

References and further reading

ISO/IEC 27035-1 (Principles of incident management)
ISO/IEC 27035-2 (Guidelines to plan and prepare for incident response)
NIST SP 800-61 (Computer Security Incident Handling Guide)
Introduction to Incident Response Life Cycle of NIST SP 800-61
Introduction to ISO/IEC 27035 – the ISO Standard on Incident Handling