Quick answers to the ISO/IEC 27035 questions that matter in real incident programs.
Focus on series structure, team roles, documentation, prioritization, testing, and improvement.
Structured answer sets in this page tree.
Cited legal and guidance references.
ISO/IEC 27035 is a series, not a single playbook. That is why teams often misread it. The practical questions are usually about structure, ownership, records, and how to keep the capability current. These answers focus on those issues rather than generic incident response advice.
The grounded series here consists of ISO/IEC 27035-1:2023 second edition for principles and process, ISO/IEC 27035-2:2023 second edition for planning and preparation, and ISO/IEC 27035-3:2020 first edition for ICT response operations.
Use Part 1 as the overall process frame, Part 2 as the capability build guide, and Part 3 as the operational response guide.
They strengthen the management model. Part 1 and Part 2 now explicitly define the incident management team and the incident coordinator, and Part 2 expands the planning and learning structure.
If your current process only names a SOC and an on-call responder, you are likely missing the management and coordination layer the revised series expects.
The incident management team handles coordination, governance, and the broader incident management process. The incident response team performs operational response actions. The incident coordinator drives investigations and decisions across teams. The point of contact handles intake and routing.
In smaller organizations one person can fill more than one role, but the responsibilities still need to be separated conceptually.
At minimum, keep an event report and an incident management log. Part 2 also provides example forms and record items, and Part 1 makes documentation a core capability component.
The log should capture decisions, actions, timestamps, ownership, severity rationale, and outcomes.
Part 2 expects a classification scale and includes example approaches to categorization, evaluation, and prioritization. The evaluation logic should fit your information classification policy and should support documented severity levels and escalation rules.
Predetermined time frames only work if the prioritization model is explicit.
Part 2 covers awareness, training, testing, exercises, and incident response capability monitoring with metrics and governance. It also expects periodic evaluation of the IMT and follow through on lessons learned.
A mature program treats exercises and metrics as inputs to plan maintenance, not as separate compliance paperwork.
They are compatible. ISO 27035 gives you the management process, team structure, and documentation model. NIST SP 800-61r3 gives you a current NIST incident response profile aligned to CSF 2.0 and published as a final document on April 3, 2025.
Many organizations use ISO as the stable management backbone and NIST to enrich operational depth and CSF mapping.
Research Copilot can take ISO 27035 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ISO 27035 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from ISO 27035 FAQ and answer scope, timing, and interpretation questions with cited outputs.
Review your current process, evidence gaps, and next steps for ISO 27035 FAQ.