A.5.27 Learning from Information Security Incidents

What is this control?

ISO 27001 control A.5.27 Learning from Information Security Incidents ensures the organisation learns from all security incidents to prevent recurrence. When an incident reaches Resolved status in the helpdesk, it enters the post-incident review phase. The CISO conducts formal post-incident reviews for all high-severity incidents, identifying root causes and generating corrective actions tracked in the central Corrective Action Register.

How to implement in Microsoft 365

Implement A.5.27 by establishing a post-incident review process triggered when incident tickets move to Post-Incident Review status. Create a PIR template document with sections for Executive Summary, Timeline, Root Cause, and Corrective Actions. Define criteria for which incidents require PIRs including all High severity and recurring Medium or Low incidents.

Create a central Corrective Action Register as a SharePoint list in the ISMS Documentation Library with fields for Action description, owner, due date, status, and completion date. Link technical corrective actions to Azure DevOps work items. Create a mandatory agenda item for Management Review Board meetings to review PIR findings.

What an auditor looks for

Auditors will verify formal Post-Incident Reports for completed incidents with dated root cause analysis section. They will check the Corrective Action Register documenting actions generated from PIR. Auditors will verify evidence of corrective action ownership assignment and due dates.

They will review Management Review Board meeting minutes showing PIR findings on agenda. Auditors will check technical corrective actions tracked in Azure DevOps or helpdesk with completion status. They will verify updated training materials reflecting lessons learned from incidents.

Related controls

• A.5.26
• A.5.36