Handling information security and business continuity incidents
How we internally handle information security and business continuity incidents in accordance with ISO 27001.
Section one: detection, identification, analysis and initial response
Step one
An incident may be identified in three possible ways:
- If a potential incident has been identified:
- Ensure that your colleagues are safe
- Notify the quality and information security team (QIST)
- The QIST works with reporter and colleagues to determine nature of incident
- Continue to section one: step two
- If an incident has been identified outside of business hours by IT helpdesk:
- IT helpdesk sends incident communication notification to senior staff
- Notify the quality and information security team (QIST)
- The QIST works with reporter and colleagues to determine nature of incident
- Continue to section one: step two
- If an individual identifies an incident outside of business hours:
- Report it to IT helpdesk
- IT helpdesk sends incident communication notification to senior staff
- Notify quality and information security team (QIST)
- The QIST works with reporter and colleagues to determine nature of incident
- Continue to section one: step two
Step two
Is a crime in progress or is there immediate danger?
- If true:
- Call 999 (incident is considered a crisis, see appendix A for definitions)
- Continue to section one: step three
- If there is no crime or immediate danger:
- Continue to section one: step three
Step three
Could the incident have significant impact?
- If true:
- QIST notifies quality information security management board (QISMB)
- QIST also notifies deputy senior information risk owner (SIRO)
- QIST assembles incident team
- Start incident reporting form
- Continue to section one: step four
- If the incident won’t have a significant impact
- Continue to section one: step four
Step four
Is the incident routine, unexceptional or minimal impact?
- If true:
- QIST notifies deputy SIRO
- Start incident reporting form
- Continue to section one: step five
- If the incident is not routine, unexceptional or minimal impact:
- QIST notifies deputy SIRO
- QIST assembles incident team
- Start incident reporting form
- Continue to section one: step five
Step five
Is personal data involved?
- If true:
- Add data protection officer (DPO) to incident team
- Continue to section one: step five a
- If no personal data is involved:
- Continue to section one: step six
Step 5a
Is the incident reportable?
- If true:
- Inform CEO and group general counsel
- Report to ICO/ data processor/ data subjects
- Add comms member to incident team
- Continue to section one: step six
- If the incident is not reportable:
- Continue to section one: step six
Step six
Is crisis communication required?
- If true:
- Add comms member to incident team
- Add HR member to incident team
- Maintain continuous internal/ external communications
- Continue to section one: step eight
- If no crisis communication is required:
- Continue to section one: step seven
Step seven
Is support for colleagues needed?
- If true:
- Add HR member to incident team
- Maintain continuous internal/ external communications
- Continue to section one: step eight
- If no support for colleagues is needed:
- Continue to section one: step eight
Step eight
Is specialist technical support needed?
- If true:
- Obtain additional support via deputy SIRO
- Maintain continuous internal/ external communications
- Continue to section two: containment
- If no specialist technical support is needed:
- Continue to section two: containment
Section two: containment
Step one
Contain the incident.
Step two
Has a crime occurred or been attempted?
- If true:
- Report to police/Action Fraud
- Continue to section two: step four
- If no crime has occurred or been attempted:
- Continue to section two: step three
Step three
Is a disciplinary investigation likely?
- If true:
- Continue to section two: step four
- If no disciplinary investigation is likely:
- Continue to section three: recovery
Step four
Is specialist evidence handling required?
- If true:
- Obtain additional support via deputy SIRO
- Continue to section three: recovery
- If no specialist evidence handling is required:
- Continue to section three: recovery
Section three: recovery
Step one
Recover.
Step two
Root cause analysis.
Step three
Continue to section four: review.
Section four: review
Step one
Review meeting and improvement, create monthly summary for QISMB.
Maintain continuous internal/ external communications.
Appendices
Appendix A: definitions
- Deputy SIRO (deputy senior information risk owner)
- DPO - (data protection officer)
- QIST (quality information security team) - this comprises of the head of information security, quality manager and their direct reports
- QISMB (quality information security management board) this comprises of the head of information security, quality manager, their direct reports, head of infrastructure, head of collaboration and workplace services, IT support manager, SIRO, deputy SIRO, DPO, group general counsel and group internal audit manager
- Deputy SIRO (deputy senior information risk owner)
- DPO - (data protection officer)
- QIST (quality information security team) - this comprises of the head of information security, quality manager and their direct reports
- QISMB (quality information security management board) this comprises of the head of information security, quality manager, their direct reports, head of infrastructure, head of collaboration and workplace services, IT support manager, SIRO, deputy SIRO, DPO, group general counsel and group internal audit manager
Appendix B: what is a crisis?
Jisc considers that an incident is likely to be a crisis, if:
- A breach of personal data has occurred
- A major Jisc office is unusable (rather than simply inaccessible)
- Significant support is required for affected colleagues
- A significant crime, or any fraud has been attempted against Jisc
- A product or service is unable to be used by members
- The incident is likely to gain press attention
- Specialist skills normally unavailable to Jisc are required
Jisc considers that an incident is likely to be a crisis, if:
- A breach of personal data has occurred
- A major Jisc office is unusable (rather than simply inaccessible)
- Significant support is required for affected colleagues
- A significant crime, or any fraud has been attempted against Jisc
- A product or service is unable to be used by members
- The incident is likely to gain press attention
- Specialist skills normally unavailable to Jisc are required
Appendix C: crisis communications
When deciding if crisis communications is needed, consider if the following are required, or are likely to be required:
- Communication with staff
- Communication with members
- Communication with press
It is likely that any incident impacting on staff, members or the public will need some involvement from the comms team.
When deciding if crisis communications is needed, consider if the following are required, or are likely to be required:
- Communication with staff
- Communication with members
- Communication with press
It is likely that any incident impacting on staff, members or the public will need some involvement from the comms team.
Last updated 26 January 2021.