ISO/IEC 27035 FAQ CSIRT Roles

Start with the operational decision: define what CSIRT Roles means in your ISO/IEC 27035 scope, who owns it, and what record proves the decision is current.

In practice, CSIRT work is usually split across a lead who coordinates the response, incident handlers who verify and analyze the event, legal reviewers who check compliance and contract issues, public affairs or media relations who handle external messaging, asset owners who set recovery priorities, and third parties who may assist under contract. The incident lead should also make sure response records are safeguarded, while the communications owner keeps status updates and notifications aligned with policy and law.

The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and retained logs.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.