FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage
32of32items
Across 8 modules • Updated May 9, 2026
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Back to sub-FAQs
ISO/IEC 27035 Post Incident Review

How should teams handle Post Incident Review under ISO/IEC 27035?

Start with the operational decision: define what Post Incident Review means in your ISO/IEC 27035 scope, who owns it, and what record proves the decision is current.

For incident work, decide the timer and escalation path before an event occurs: classification, severity, legal-notification review, containment owner, communications owner, recovery owner, and evidence custodian. This keeps the answer useful in audits, customer reviews, incidents, supplier reviews, and management review.

  • Name the accountable owner and reviewer for Post Incident Review.
  • Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
  • Escalate when Post Incident Review changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.
Citations
Jump to answerOpen module
ISO/IEC 27035 Post Incident Review

What evidence should prove Post Incident Review is current under ISO/IEC 27035?

The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and retained logs.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

  • Use source records from the system of work, not screenshots created only for audit day.
  • Keep exceptions visible as risk acceptance, corrective action, or management-review input.
  • Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.
Citations
Jump to answerOpen module
ISO/IEC 27035 Post Incident Review

Who should approve Post Incident Review decisions under ISO/IEC 27035?

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

  • Use a named owner, named backup, and named escalation forum.
  • Separate preparation work from risk acceptance and final approval.
  • Keep approval records with the evidence rather than in disconnected email threads.
Citations
Jump to answerOpen module
ISO/IEC 27035 Post Incident Review

When should Post Incident Review be reviewed under ISO/IEC 27035?

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.

  • Set a planned review date and a change-trigger rule.
  • Use findings to update controls, procedures, contracts, risk registers, or training.
  • Carry unresolved items into management review or risk acceptance.
Citations
Jump to answerOpen module
ISO/IEC 27035 Retained Logs

How should teams handle Retained Logs under ISO/IEC 27035?

Start with the operational decision: define what Retained Logs means in your ISO/IEC 27035 scope, who owns it, and what record proves the decision is current.

For retained incident logs, decide in advance which event records, timestamps, triage notes, escalation decisions, containment actions, recovery evidence, and lessons-learned records must be preserved, who can access them, and when legal or privacy review is needed.

  • Name the accountable owner and reviewer for Retained Logs.
  • Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
  • Escalate when Retained Logs changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.
Citations
ISO/IEC 27035-1:2023 standard page

ISO/IEC 27035-1 frames incident management as preparation, detection, reporting, assessment, and response, which supports keeping retained logs tied to the incident process.

Jump to answerOpen module
ISO/IEC 27035 Retained Logs

What evidence should prove Retained Logs is current under ISO/IEC 27035?

The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and Retained Logs.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

  • Use source records from the system of work, not screenshots created only for audit day.
  • Keep exceptions visible as risk acceptance, corrective action, or management-review input.
  • Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.
Citations
Jump to answerOpen module
ISO/IEC 27035 Retained Logs

Who should approve Retained Logs decisions under ISO/IEC 27035?

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

  • Use a named owner, named backup, and named escalation forum.
  • Separate preparation work from risk acceptance and final approval.
  • Keep approval records with the evidence rather than in disconnected email threads.
Citations
ISO/IEC 27035-1:2023 standard page

ISO/IEC 27035-1 frames incident management as preparation, detection, reporting, assessment, and response, which supports keeping retained logs tied to the incident process.

Jump to answerOpen module
ISO/IEC 27035 Retained Logs

When should Retained Logs be reviewed under ISO/IEC 27035?

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.

  • Set a planned review date and a change-trigger rule.
  • Use findings to update controls, procedures, contracts, risk registers, or training.
  • Carry unresolved items into management review or risk acceptance.
Citations
ISO/IEC 27035-1:2023 standard page

ISO/IEC 27035-1 frames incident management as preparation, detection, reporting, assessment, and response, which supports keeping retained logs tied to the incident process.

Jump to answerOpen module
ISO/IEC 27035 Severity Classification

How should teams handle Severity Classification under ISO/IEC 27035?

Start with a simple scoring approach: classify the incident by how much it affects critical services, sensitive data, operational continuity, and the organization's ability to recover quickly.

Use the same factors every time so similar incidents get similar treatment. NIST SP 800-61r3 points incident teams to risk evaluation factors such as asset criticality, functional impact, data impact, stage of observed activity, threat actor characterization, and recoverability when prioritizing incidents and deciding when to escalate or elevate response activities.

A practical rule is that higher severity usually means broader business impact, more urgent response, more difficult recovery, or a greater likelihood that the activity will spread, persist, or cause regulatory, legal, or customer-notification consequences. Lower severity usually means the event is limited in scope, easier to contain, and unlikely to affect critical services or sensitive data.

  • Classify severity using consistent factors such as asset criticality, functional impact, data impact, stage of activity, threat actor characterization, and recoverability.
  • Treat incidents as more severe when they affect critical services, sensitive data, or time-sensitive operations, or when containment and recovery are difficult.
  • Escalate when the severity level changes the urgency, resourcing, communications, legal review, or recovery decision.
  • Document the severity rationale so reviewers can see why the incident was placed in that level rather than a lower or higher one.
Citations
Jump to answerOpen module
ISO/IEC 27035 Severity Classification

What evidence should prove Severity Classification is current under ISO/IEC 27035?

The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and retained logs.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

  • Use source records from the system of work, not screenshots created only for audit day.
  • Keep exceptions visible as risk acceptance, corrective action, or management-review input.
  • Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.
Citations
Jump to answerOpen module
ISO/IEC 27035 Severity Classification

Who should approve Severity Classification decisions under ISO/IEC 27035?

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

  • Use a named owner, named backup, and named escalation forum.
  • Separate preparation work from risk acceptance and final approval.
  • Keep approval records with the evidence rather than in disconnected email threads.
Citations
ISO/IEC 27035-1:2023 standard page

ISO/IEC 27035-1 defines the incident-management process context for assessing incidents, which supports severity classification and escalation decisions.

Jump to answerOpen module
ISO/IEC 27035 Severity Classification

When should Severity Classification be reviewed under ISO/IEC 27035?

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.

  • Set a planned review date and a change-trigger rule.
  • Use findings to update controls, procedures, contracts, risk registers, or training.
  • Carry unresolved items into management review or risk acceptance.
Citations
ISO/IEC 27035-1:2023 standard page

ISO/IEC 27035-1 defines the incident-management process context for assessing incidents, which supports severity classification and escalation decisions.

Jump to answerOpen module
Page 2 of 2
Previous12Next