A.5.24 Information Security Incident Management Planning and Preparation
What is this control?
ISO 27001 control A.5.24 Information Security Incident Management Planning and Preparation establishes a formal, documented incident response plan with a defined Cyber Security Incident Response Team (CSIRT) and clear roles, responsibilities, and communication channels. The organisation uses Microsoft Sentinel as its SIEM/SOAR platform to manage the incident lifecycle covering preparation, detection, response, and learning phases with at least annual tabletop exercises.
How to implement in Microsoft 365
Implement A.5.24 by documenting a formal IR plan in the SharePoint ISMS Documentation Library defining CSIRT roles, responsibilities, and phases for Preparation, Detection, Containment, and Learning. Create a CSIRT Charter document with defined members, contact information, and role descriptions. Implement Microsoft Sentinel as the central SIEM/SOAR platform for automated alert generation.
Configure helpdesk system integration with Sentinel to auto-create incidents from alerts. Establish a manual reporting channel in the helpdesk for user-reported security events per A.6.8. Schedule and conduct annual tabletop IR exercises and document after-action reports.
What an auditor looks for
Auditors will verify a CISO-approved IR plan document in current version defining incident phases and CSIRT structure. They will check the CSIRT Charter documenting member names, roles, contact details, and escalation procedures. Auditors will verify evidence of Sentinel-to-Helpdesk automation configured and operational.
They will review documentation of annual tabletop exercise completion with dated after-action report showing scenario, findings, and lessons learned. Auditors will check proof of personnel training on incident reporting procedures.
Related controls
M365 capabilities that implement this control
IR plan documentation, playbook inventory, RACI matrices, communication templates, and tabletop exercises