Incident Management Policy
Detect, report, respond and learn from incidents (Annex A 5.24-5.27).
Failed to load preview.
About this Incident Management Policy
The Incident Management Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.24-5.27 of the ISO 27001 Annex A control set.
Detect, report, respond and learn from incidents (Annex A 5.24-5.27). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.
What's inside
- - Pre-written purpose, scope and policy statements
- - Roles and responsibilities aligned with ISO 27001:2022
- - Control requirements mapped to Annex A 5.24-5.27
- - Review, approval and version-control sections
- - Editable Word (.docx) version in the Document Pack
Who is this for
- - Companies pursuing ISO 27001:2022 certification
- - ISMS managers and information security leads
- - Consultants delivering ISO 27001 implementations
- - Auditors preparing evidence packs for Stage 1 / Stage 2
- - SaaS and tech teams formalizing security policies
ISO 27001:2022 relevance
- Annex A 5.24 - Information security incident management planning
- Annex A 5.25 - Assessment and decision
- Annex A 5.26 - Response to incidents
- Annex A 5.27 - Learning from incidents
- Annex A 5.28 - Collection of evidence
How to customise
- - Define incident categories and severity levels.
- - Insert contact details for the response team and escalation chain.
- - Set notification timelines (regulatory, customer, internal).
- - Reference your post-incident review and lessons-learned process.
Evidence auditors may expect
- - Approved incident response policy and runbooks
- - Incident log with classification, owner, and status
- - Post-incident review records and corrective actions
- - Evidence of training or tabletop exercises
Auditor may ask
These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.
Frequently asked questions
What ISO 27001:2022 controls does an incident response policy cover?
Annex A 5.24 (Planning and preparation), 5.25 (Assessment and decision), 5.26 (Response to incidents), 5.27 (Learning from incidents) and 5.28 (Collection of evidence).
What should an ISO 27001 incident response policy include?
Definitions and severity levels, roles (incident manager, response team), detection and reporting channels, triage and escalation, communication, containment, recovery and post-incident review.
Do we need to test the incident response process?
Yes. Tabletop or simulated incident exercises are expected at least annually, with results, lessons learned and corrective actions documented as evidence.
What evidence does an auditor look for?
Approved policy, incident register, sample incident tickets with timeline, post-incident review records, and evidence that lessons learned have fed back into the risk register or controls.
Related ISO 27001 documents
Logging & Monitoring Policy
Event logging, monitoring and alerting (Annex A 8.15/8.16).
Business Continuity Policy
Continuity, recovery and resilience requirements (Annex A 5.29/5.30).
Statement of Applicability (SoA)
Lists all Annex A controls with applicability and justification. Mandatory under clause 6.1.3 d).
Risk Register Template (Excel)
Multi-sheet ISO 27001 risk register with scoring matrix. First sheet preview only - extra sheets unlock with the pack.
Acceptable Use Policy
Rules for acceptable use of information and assets (Annex A 5.10).
Access Control Policy
Logical and physical access management (Annex A 5.15).
Get the editable Incident Management Policy
Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).
