A.5.26 Response to Information Security Incidents

What is this control?

ISO 27001 control A.5.26 Response to Information Security Incidents defines the formal response actions executed by the CSIRT once an event is classified as a Security Incident per A.5.25. The response focuses on containment to prevent spread, eradication to remove root cause, and recovery to restore services. Actions vary by incident type and use automated SOAR playbooks or manual procedures with all actions documented in helpdesk tickets and technical audit logs.

How to implement in Microsoft 365

Implement A.5.26 by documenting response procedures in the IR plan for each incident type including compromised account, infected endpoint, malicious IP or domain, malware, phishing, and vulnerability. Create Microsoft Sentinel SOAR playbooks for automated response actions. Establish helpdesk workflow requiring CISO approval for containment actions.

Configure Defender for Endpoint, Defender for Office 365, and Intune for manual response execution. Log all response actions both automated and manual in helpdesk tickets with timestamps. Establish closure workflow where tickets move to Resolved Awaiting Review triggering the A.5.27 learning phase.

What an auditor looks for

Auditors will verify the IR plan documents specific response procedures for all major incident types. They will check completed helpdesk incident tickets showing audit logs of all containment, eradication, and recovery actions. Auditors will review technical audit logs from Defender for Endpoint showing device isolation execution.

They will verify Defender for Office 365 logs showing Search and Purge execution for phishing. Auditors will check Intune audit logs showing patch deployment for vulnerability response. They will verify helpdesk closure workflow evidence showing ticket transition to Resolved status.

Related controls

• A.5.24
• A.5.25