---
title: "ISO/IEC 27035 (Information Security Incident Management)"
canonical_url: "https://www.sorena.io/artifacts/global/iso-27035"
source_url: "https://www.sorena.io/artifacts/global/iso-27035"
author: "Sorena AI"
description: "Practical ISO/IEC 27035 guidance for incident management across the full series: Part 1 principles and process, Part 2 planning and preparation."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "ISO 27035"
  - "ISO/IEC 27035"
  - "ISO 27035-1"
  - "ISO 27035-2"
  - "ISO 27035-3"
  - "incident management"
  - "incident response"
  - "information security incident management"
  - "incident coordinator"
  - "IMT"
  - "IRT"
  - "event report"
  - "incident management log"
  - "incident severity matrix"
  - "incident escalation matrix"
  - "ISO 27035 vs NIST 800-61r3"
  - "Incident response playbook"
  - "Severity and escalation"
  - "Audit evidence"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ISO/IEC 27035 (Information Security Incident Management)

Practical ISO/IEC 27035 guidance for incident management across the full series: Part 1 principles and process, Part 2 planning and preparation.

![ISO 27035 artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-global-iso-27035-small.jpg?v=cheatsheets%2Fprod)

*ISO 27035* *Free Resource*

## ISO/IEC 27035 Incident management implementation hub

Use these guides to build an incident management capability that works in real operations and holds up in audits. Cover the full ISO/IEC 27035 series: Part 1 process and documentation, Part 2 planning and preparation, and Part 3 ICT incident response operations for triage, analysis, containment, eradication, and recovery.

The current grounded series here is ISO/IEC 27035-1:2023, ISO/IEC 27035-2:2023, and ISO/IEC 27035-3:2020. These pages focus on the real operating details that teams usually miss: event report quality, incident logs, classification scales, external relationships, exercises, capability registers, and post-incident improvement.

[Jump to guides](#topics)

## What this artifact helps you do

- **Build the full capability**: Define policy, plan, team structure, support relationships, exercise cadence, and metrics so incident handling is not improvised.
- **Run consistent response operations**: Use stable event reporting, classification, prioritization, triage, analysis, containment, eradication, and recovery methods.
- **Prove what happened**: Maintain event reports, incident management logs, lessons learned, and improvement records that survive audit and regulator review.

By Sorena AI | Updated 2026 | No signup required

### Quick start

*ISO 27035*

- **Compliance playbook**: Use the 2023 and 2020 series structure to build policy, plan, team roles, exercises, and evidence.
- **Incident response playbook**: Execute reporting, triage, analysis, containment, eradication, recovery, and lessons learned with fewer handoff failures.
- **Severity and escalation matrix**: Align prioritization to classification scales, business impact, and predetermined response time frames.

ISO 27035 works when reporting, decision rights, and records are explicit enough to be used under pressure.

| Value | Metric |
| --- | --- |
| 5 | Guides |
| 2023 | Series Core |
| Ops | Ready |
| Evidence | Traceable |

**Key highlights:** IMT and IRT | Event reports | Lessons learned

## Topic Guides

- [ISO 27035 Compliance (Incident Management Operating Model)](/artifacts/global/iso-27035/compliance.md): A practical ISO/IEC 27035 compliance playbook for incident management.
- [ISO 27035 FAQ (Incident Management, Team Roles, and Evidence)](/artifacts/global/iso-27035/faq.md): Frequently asked questions about ISO/IEC 27035. Understand the 2023 series structure, IMT and IRT roles, event report forms, incident logs, prioritization.
- [ISO 27035 Incident Response Playbook (Roles, Forms, and Operations)](/artifacts/global/iso-27035/incident-response-playbook.md): A practical ISO/IEC 27035 incident response playbook that covers event reporting, triage, analysis, containment, eradication, recovery, communications.
- [ISO 27035 Incident Severity and Escalation Matrix (Classification and Priority Template)](/artifacts/global/iso-27035/incident-severity-and-escalation-matrix.md): A grounded ISO/IEC 27035 severity and escalation matrix template for classification, evaluation, prioritization, predetermined response times.
- [ISO 27035 vs NIST SP 800-61r3 (Incident Response Mapping)](/artifacts/global/iso-27035/iso-27035-vs-nist-800-61r3.md): Compare ISO/IEC 27035 and NIST SP 800-61r3 for incident response.

## Explore ISO 27035 guides

*Guides*

Use these subpages for grounded implementation detail on compliance, FAQ, playbooks, severity logic, and NIST comparison.

## How to run incident management that stays coherent under stress

*Navigation*

The series works best when Part 1 provides the process frame, Part 2 defines policy, teams, forms, external relationships, testing, and metrics, and Part 3 drives ICT response operations with disciplined triage, analysis, containment, eradication, and recovery.

*Next step*

## Turn ISO/IEC 27035 Incident management implementation hub into an operational assessment workflow

ISO/IEC 27035 Incident management implementation hub should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis.

- Start from ISO/IEC 27035 Incident management implementation hub and route the work by entity, product, team, or control owner.
- Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
- Use SSOT to keep documents, evidence, and control records in one governed system.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.

- [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for ISO/IEC 27035 Incident management implementation hub.
- [Open SSOT](/solutions/ssot.md): Keep documents, evidence, and control records in one governed system from the same artifact.
- [Talk through ISO/IEC 27035 Incident management implementation hub](/contact.md): Review your current process, evidence model, and next steps for ISO/IEC 27035 Incident management implementation hub.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/iso-27035