---
title: "ISO/IEC 27035 Incident Management FAQ"
canonical_url: "https://www.sorena.io/artifacts/global/iso-27035/faq"
source_url: "https://www.sorena.io/artifacts/global/iso-27035/faq/items/page/2"
author: "Sorena AI"
description: "ISO/IEC 27035 FAQ for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ISO/IEC 27035 FAQ"
  - "ISO/IEC 27035"
  - "ISO/IEC 27035 Information Security Incident Management"
  - "ISO/IEC 27035 FAQ checklist"
  - "ISO/IEC 27035 FAQ evidence"
  - "ISO/IEC 27035 FAQ implementation"
  - "FAQ"
  - "global compliance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ISO/IEC 27035 Incident Management FAQ

ISO/IEC 27035 FAQ for ISO/IEC 27035 Information Security Incident Management: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.

*FAQ* *Global* *ISO/IEC 27035*

## ISO/IEC 27035 FAQ

ISO/IEC 27035 FAQ should help teams make a decision, assign owners, and collect evidence under ISO/IEC 27035 Information Security Incident Management.

Grounded in external ISO, NIST, EU, or framework sources where relevant. This is practical implementation guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

This ISO/IEC 27035 FAQ explains how incident management should be handled in practice: what counts as an event or incident, who owns the response, what evidence should be kept, and when the record should be reviewed.

## Browse sub-FAQ modules

### [ISO/IEC 27035 CSIRT Roles FAQ](/artifacts/global/iso-27035/faq/csirt-roles.md)

How should teams handle CSIRT Roles under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27035 Escalation FAQ](/artifacts/global/iso-27035/faq/escalation.md)

How should teams handle Escalation under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27035 Event vs Incident FAQ](/artifacts/global/iso-27035/faq/event-vs-incident.md)

How should teams distinguish a security event from an information security incident under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27035 Lessons Learned FAQ](/artifacts/global/iso-27035/faq/lessons-learned.md)

How should teams handle Lessons Learned under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27035 Notification Evidence FAQ](/artifacts/global/iso-27035/faq/notification-evidence.md)

How should teams handle Notification Evidence under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27035 Post Incident Review FAQ](/artifacts/global/iso-27035/faq/post-incident-review.md)

How should teams handle Post Incident Review under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27035 Retained Logs FAQ](/artifacts/global/iso-27035/faq/retained-logs.md)

How should teams handle Retained Logs under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27035 Severity Classification FAQ](/artifacts/global/iso-27035/faq/severity-classification.md)

How should teams handle Severity Classification under ISO/IEC 27035? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

Browse all indexed questions: [/artifacts/global/iso-27035/faq/items](/artifacts/global/iso-27035/faq/items.md)

## All FAQ items

*Page 2 of 2. Showing 12 of 32 items.*

### [How should teams handle Post Incident Review under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/post-incident-review.md#how-should-teams-handle-post-incident-review-under-isoiec-27035)

*Module: [ISO/IEC 27035 Post Incident Review](/artifacts/global/iso-27035/faq/post-incident-review.md)*

Start with the operational decision: define what Post Incident Review means in your ISO/IEC 27035 scope, who owns it, and what record proves the decision is current.

- Name the accountable owner and reviewer for Post Incident Review.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Post Incident Review changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - Primary ISO listing for incident management principles and process.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - Primary ISO listing for planning, preparing, and lessons-learned guidance.

### [What evidence should prove Post Incident Review is current under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/post-incident-review.md#what-evidence-should-prove-post-incident-review-is-current-under-isoiec-27035)

*Module: [ISO/IEC 27035 Post Incident Review](/artifacts/global/iso-27035/faq/post-incident-review.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and retained logs.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - Primary ISO listing for planning, preparing, and lessons-learned guidance.
- [ISO/IEC 27035-3:2020 standard page](https://www.iso.org/standard/74033.html?ref=sorena.io) - Primary ISO listing for ICT incident response operations guidance.

### [Who should approve Post Incident Review decisions under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/post-incident-review.md#who-should-approve-post-incident-review-decisions-under-isoiec-27035)

*Module: [ISO/IEC 27035 Post Incident Review](/artifacts/global/iso-27035/faq/post-incident-review.md)*

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

- Use a named owner, named backup, and named escalation forum.
- Separate preparation work from risk acceptance and final approval.
- Keep approval records with the evidence rather than in disconnected email threads.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - Primary ISO listing for incident management principles and process.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - Primary ISO listing for planning, preparing, and lessons-learned guidance.

### [When should Post Incident Review be reviewed under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/post-incident-review.md#when-should-post-incident-review-be-reviewed-under-isoiec-27035)

*Module: [ISO/IEC 27035 Post Incident Review](/artifacts/global/iso-27035/faq/post-incident-review.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - Primary ISO listing for incident management principles and process.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - Primary ISO listing for planning, preparing, and lessons-learned guidance.

### [How should teams handle Retained Logs under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/retained-logs.md#how-should-teams-handle-retained-logs-under-isoiec-27035)

*Module: [ISO/IEC 27035 Retained Logs](/artifacts/global/iso-27035/faq/retained-logs.md)*

Start with the operational decision: define what Retained Logs means in your ISO/IEC 27035 scope, who owns it, and what record proves the decision is current.

- Name the accountable owner and reviewer for Retained Logs.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Retained Logs changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 frames incident management as preparation, detection, reporting, assessment, and response, which supports keeping retained logs tied to the incident process.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning, preparation, and lessons-learned records that retained logs should preserve for incident response review.

### [What evidence should prove Retained Logs is current under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/retained-logs.md#what-evidence-should-prove-retained-logs-is-current-under-isoiec-27035)

*Module: [ISO/IEC 27035 Retained Logs](/artifacts/global/iso-27035/faq/retained-logs.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and Retained Logs.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning, preparation, and lessons-learned records that retained logs should preserve for incident response review.
- [ISO/IEC 27035-3:2020 standard page](https://www.iso.org/standard/74033.html?ref=sorena.io) - ISO/IEC 27035-3 supports ICT incident-response operations where operational logs, triage records, and response evidence are used.

### [Who should approve Retained Logs decisions under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/retained-logs.md#who-should-approve-retained-logs-decisions-under-isoiec-27035)

*Module: [ISO/IEC 27035 Retained Logs](/artifacts/global/iso-27035/faq/retained-logs.md)*

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

- Use a named owner, named backup, and named escalation forum.
- Separate preparation work from risk acceptance and final approval.
- Keep approval records with the evidence rather than in disconnected email threads.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 frames incident management as preparation, detection, reporting, assessment, and response, which supports keeping retained logs tied to the incident process.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning, preparation, and lessons-learned records that retained logs should preserve for incident response review.

### [When should Retained Logs be reviewed under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/retained-logs.md#when-should-retained-logs-be-reviewed-under-isoiec-27035)

*Module: [ISO/IEC 27035 Retained Logs](/artifacts/global/iso-27035/faq/retained-logs.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 frames incident management as preparation, detection, reporting, assessment, and response, which supports keeping retained logs tied to the incident process.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning, preparation, and lessons-learned records that retained logs should preserve for incident response review.

### [How should teams handle Severity Classification under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/severity-classification.md#how-should-teams-handle-severity-classification-under-isoiec-27035)

*Module: [ISO/IEC 27035 Severity Classification](/artifacts/global/iso-27035/faq/severity-classification.md)*

Start with a simple scoring approach: classify the incident by how much it affects critical services, sensitive data, operational continuity, and the organization's ability to recover quickly.

- Classify severity using consistent factors such as asset criticality, functional impact, data impact, stage of activity, threat actor characterization, and recoverability.
- Treat incidents as more severe when they affect critical services, sensitive data, or time-sensitive operations, or when containment and recovery are difficult.
- Escalate when the severity level changes the urgency, resourcing, communications, legal review, or recovery decision.
- Document the severity rationale so reviewers can see why the incident was placed in that level rather than a lower or higher one.

Sources for this answer:

- [NIST SP 800-61r3](https://csrc.nist.gov/pubs/sp/800/61/r3/final?ref=sorena.io) - The incident report should be checked to estimate severity and urgency.

### [What evidence should prove Severity Classification is current under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/severity-classification.md#what-evidence-should-prove-severity-classification-is-current-under-isoiec-27035)

*Module: [ISO/IEC 27035 Severity Classification](/artifacts/global/iso-27035/faq/severity-classification.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes incident policy, response plan, severity matrix, triage records, escalation logs, notifications, containment and recovery notes, lessons learned, and retained logs.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning and lessons-learned practices that keep severity criteria and escalation paths reviewable.
- [ISO/IEC 27035-3:2020 standard page](https://www.iso.org/standard/74033.html?ref=sorena.io) - ISO/IEC 27035-3 supports ICT incident-response operations where severity classification guides triage and response coordination.

### [Who should approve Severity Classification decisions under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/severity-classification.md#who-should-approve-severity-classification-decisions-under-isoiec-27035)

*Module: [ISO/IEC 27035 Severity Classification](/artifacts/global/iso-27035/faq/severity-classification.md)*

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

- Use a named owner, named backup, and named escalation forum.
- Separate preparation work from risk acceptance and final approval.
- Keep approval records with the evidence rather than in disconnected email threads.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 defines the incident-management process context for assessing incidents, which supports severity classification and escalation decisions.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning and lessons-learned practices that keep severity criteria and escalation paths reviewable.

### [When should Severity Classification be reviewed under ISO/IEC 27035?](/artifacts/global/iso-27035/faq/severity-classification.md#when-should-severity-classification-be-reviewed-under-isoiec-27035)

*Module: [ISO/IEC 27035 Severity Classification](/artifacts/global/iso-27035/faq/severity-classification.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27035-1:2023 standard page](https://www.iso.org/standard/78973.html?ref=sorena.io) - ISO/IEC 27035-1 defines the incident-management process context for assessing incidents, which supports severity classification and escalation decisions.
- [ISO/IEC 27035-2:2023 standard page](https://www.iso.org/standard/78974.html?ref=sorena.io) - ISO/IEC 27035-2 supports planning and lessons-learned practices that keep severity criteria and escalation paths reviewable.

## FAQ Pagination

- Canonical index (page 1): [/artifacts/global/iso-27035/faq/items](/artifacts/global/iso-27035/faq/items.md)
- Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL.
- Current page: 2 of 2

Pages: [1](/artifacts/global/iso-27035/faq/items.md) | [2](/artifacts/global/iso-27035/faq/items/page/2.md)

[Previous page](/artifacts/global/iso-27035/faq/items.md)

*Recommended next step*

*Placement: after implementation guidance*

## Operationalize ISO/IEC 27035 FAQ

This page moves ISO/IEC 27035 guidance into an auditable operating loop with owners, evidence requests, decision records, and scheduled review dates.

- [Open Assessment Autopilot for ISO/IEC 27035](/solutions/assessment.md): Convert ISO/IEC 27035 FAQ into accountable tasks, evidence requests, and review checkpoints.
- [Talk through implementation](/contact.md): Review your current scope, evidence gaps, and next implementation steps.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/iso-27035/faq/items/page/2