ISO IEC 27035-1-2023.docx

INTERNATIONA1.STANDARDISO/IEC27035-1editionSecond2023-02Informationtechno1.ogy一Informationsecurityincidentmanagement一P刑qp1.esandprocessTechno1.ogiesdeinformationGestiondesincidentsdesecuritedeinbrmaUon-Panie1:PrincipesetprocessusReferencenumberISO/IEC27035-1.:2023(E)ContentsForeword5.15.2OVerVieWP1.anandprepare11IS5.3DMe66and(tapdet5.51H5.61.earn1.essons2016Introductionv2Scope13Normativereferences1Terms,definitionsandabbreviatedterms3.143.2Termsanddefinitions1AbbreViatedterms3Overview4.14.2BaS1.CConCeP(S3Objectivesofincidentmanagement44.34.5IAduif1.tibdftys1.ruc1.urec1.appraach6Capabi1.ity74.5.1Genera1.7轼与也困解椭时却KfteSSStrUCtUre84.64.7CommUn1.Cat1.on10Documentation1()W5fP°rt104.7.3Incidentmanagement1.og104.7.4i1._Incidentrepor«(««11ProCeSS11AnnexA(informative)Re1.ationshiptoinvestigativestandards22AnnexB(informative)Examp1.esofinformationsecurityincidentsandtheircauses25AnnexC(informative)Cross-referencetab1.eofISO/IEC27001totheISO/IEC27035series29Annexan(informative)31Bib1.iography32ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.GtumbissiobJSdrmIHG<5pQrtHf1.d(S>B耐IUAWHOPhAWMIQtHtandandhaiion.S出口dddtghtechniojbcommitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interestOtherinternationa1.organizations,governmenta1.andnon-governmenta1.rin1.iaisonwithISOandIEC,a1.sotakepartintheTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenance侬dcddc抑IbCdthe1.nd睢1.cnt1.S(W拒丽燃始rM丽坪Mar,t帕小瞰崛nM一期礴曲3iMnISO/IECDirectives.Part2(seewww.iso.org/dircctivesorwww.iec.ch/members.experts/refdocs).A(ftftF>rigWjwng&%愁S画出n®1.wf!三b1.e由三gSVhyM岬BwiR9WriirectedAv¼vv4SyWMFS7tm)standardswww.iec.ch/nationa1.-committees.©ISO/IEC2023-A11rightsreservedkUbjeetrights.Detai1.sofanypatentrightsidentifiedduringthedeve1.opmentOfURd屋Um1.n1.Wi1.IbuintheIntroductionand/orontheISO1.istofpa；4o(seewww.iso.org/patents)ortheIEC1.istofpatentdec1.arationsreceived(seehttpspatents.iecch).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.B即邮SiOnSeX阀ChrtbMt也网tbwfthy前榄喇Ufn1.Sta冰ttds,tEfmw加即曲依域QificadHemmcerfmi，haWOndTad。QIgani¾uion(WTo)princip1.esinth。Tyhnica1.Ba沁gU>TFad(TBT)seewwvv.iso.org/iso/foreword.htm.IntheIEC.seewww.iec.chunderstandingstandards.j族。例M腺里SC编妞肿群梆隰CUrj夕或M1.wfm阳(SOI&肪小ec"on./brmaontechno1.ogy,Thissecondeditioncance1.sandrep1.acesthefirstedition(ISO/IEC27035-1:2016),whichhasbeentechnica1.1.yrevised.Themainchangesareasfo1.1.ows:thetit1.ehasbeenmodified;newtermsincidentmanagementteam'*and,'incidentcoordinator'*aredefinedinC1.ause3;new4bdaH24.5,44and-47areaddedinC1.ue4;thetit1.eofC1.ause5hasbeenchangedto*Process"anewAnnexDhasbeenadded;thetexthasbeeneditoria1.1.yrerised.A1.istofa1.1.partsintheISO/IEC27035SerieSCanbefoundontheISOandIECwebsites.B.3InformationgatheringIngenera1.terms,theinformationgatheringcategoryofincidentsinc1.udesthoseactivitiesassociatedOfith1.hrves)nJcM*以feB¾Md,andwithuHcwtahHigrtM!*Mi峭:runningonthosetargets.Thistypetheexistenceofatarget,andtounderstandthenetworkphysica1.or1.ogica1.topo1.ogy(e.g.ITnetwork,faci1.ity,communicates;organisationa1.structure)surroundingit,andwithwhomthetargetroutine1.ypotentia1.vu1.nerabi1.itiesinthetargetoritsimmediateenvironmentthatcanbeexp1.oited.Tjrpica1.examp1.esofinformationgatheringbytechnica1.meansinc1.udethefo1.1.owing:reconnaissanceandidentifkationofavictim'son1.ineinfrastructurebyperformingsearchesonknowndomainnamesorIPaddresses,orbyana1.ysingpassiveDNSinformation;pingingnetworkaddressestofindsystemsthatare"a1.ive"；probingthesystemtoidentify(e.g.fingerprint)thehostoperatingsystem；theASV相i4*rfesPfittworkservices;ege-mai1.,Fi1.escanningforoneormoreknownvu1.nerab1.eservicesacrossanetworkaddressrange(horizonta1.scanning).Insomecases,technica1.informationgatheringextendsintounauthorizedaccessif,forexamp1.e,aspartofsearchingforvu1.nerabi1.ities,theattackera1.soattemptstogainunauthorizedaccess.Thiscommon1.y谶R>长Hftfcte超9鼠ems,thSftfervicesfi限netvJBi*ksvu1.nera蜘iesfound.a1.soautomatica1.1.yattempttoInformationgatheringincidentscausedbynon-technica1.means,resu1.tingin:directorindirectdisc1.osureormodificationofinformation;theftofinte1.1.ectua1.propertystorede1.ectronica1.1.y;breachesofaccountabi1.ity,e.g.inaccount1.ogging；misuseOfinformationsystems(e.g.contraryto1.awororganizationpo1.icy).Informationgatheringincidentscanbecaused,forexamp1.e,by:breachesofphysica1.securityarrangementsresu1.tinginunauthorizedaccesstoinfo11nation,andtheftofdatastorageequipmentthatcon