Incident Response Frameworks: NIST vs. ISO/IEC 27035

As South Africa’s digital infrastructure shifts from hardware firewalls to cloud security, new security and reporting requirements from the Information Regulator have sparked an urgent need for updated governance frameworks. As organisations face an expanding attack surface, businesses require more robust security systems to prevent breaches and effective policies to respond to cybersecurity incidents. Standardised incident response frameworks like the National Institute of Standards and Technology (NIST) SP 800-61 framework and the ISO/IEC 27035 framework provide global best practices for dealing with data breaches.

The Central University of Technology (CUT) addresses the South African skills gap through its fully online Postgraduate Diploma in Information Technology, designed to equip professionals with the capabilities required to navigate complex containment and recovery cycles.

The NIST Incident Response Framework: SP 800-61

The NIST incident response framework, known as SP800-61, forms part of the larger NIST Cybersecurity Framework (CSF 2.0). It is a widely adopted guide favoured for its actionable and technical depth. It conceptualises the lifecycle as a continuous four-phase loop:

• Preparation: Focuses on establishing tools, asset inventories and a Computer Security Incident Response Team. It emphasises threat detection for high-value assets.
• Detection and Analysis: Involves identifying indicators of compromise and using AI-driven anomaly detection to filter alerts and solve "alert fatigue".
• Containment, Eradication and Recovery: NIST groups these steps to reflect their parallel nature. Strategies include zero-trust micro-segmentation to stop lateral movement, followed by root-cause removal and system restoration.
• Post-Incident Activity: A formal review to improve the organisational maturity and refine playbooks.

The ISO/IEC 27035 Standard

While NIST is technical, ISO/IEC 27035 is governance-oriented and aligns with the larger ISO/IEC 27001 security framework. It follows five phases:

• Plan and Prepare: The first phase involves formulating information security policies with top management commitment and establishing a dedicated incident response team.
• Detect and Report: Security teams monitor internal telemetry and external threat feeds to identify anomalous activity, ensuring potential threats are formally reported through established coordination procedures.
• Assess and Decide: Reported events are evaluated to determine if they constitute an official incident, informing the decision on the specific response strategy and the activation of the required teams.
• Response: Active measures are taken to investigate, contain, and eradicate the threat, while coordinating and communicating with stakeholders to minimise impact on organisational assets.
• Lessons Learned: Following resolution, the incident is reviewed to document improvements for future security controls and to evaluate team performance for continuous organisational growth.

A unique feature is the formal assessment step to determine if an "event" constitutes an "incident", ensuring that legal and regulatory notification requirements are considered early.

Comparison table for NIST SP 800-61 and ISO/IEC 27035

South African Regulatory Compliance

In South Africa, the choice of framework is increasingly dictated by the Protection of Personal Information Act (POPIA). Section 22 mandates that if there are "reasonable grounds" to believe personal information has been accessed by an unauthorised person, the responsible party must notify the Information Regulator and the data subject.

Under POPIA, there is no "high-risk" threshold; all compromises must be reported irrespective of the perceived risk. As of April 2025, organisations must use the Information Regulator's mandatory eServices portal for reporting. This environment requires security management that bridges technical triggers with legal obligations.

Incident Response Best Practices

Mature organisations achieve resilience by synthesising frameworks into incident response best practices. Key technical measures include:

• Playbooks: Detailed "battle plans" for responding to specific types of attacks like ransomware or phishing.
• SOAR Platforms: Automation to reduce reaction times by isolating compromised containers instantly.
• Continuous Monitoring: Moving towards proactive threat hunting and using monitoring-as-a-service to find hidden threats.

Professional Development at CUT

The Postgraduate Diploma in Information Technology at CUT provides the theoretical and practical depth needed for incident response leadership. The curriculum includes:

• Advanced Information Security: Risk mitigation and policy design.
• Ethical Hacking: Understanding how threat detection works to identify vulnerabilities proactively.
• IT Governance and Compliance: Strategic management for navigating regulatory compliance.

By mastering incident response, graduates of the postgraduate diploma are empowered to protect South Africa's future cybersecurity systems.

FAQs: Incident Response Frameworks

1. What is the difference between an "event" and an "incident" in ISO/IEC 27035?

A security event is an identified occurrence that indicates a possible breach or a failure of controls. An incident is an event that has been assessed and confirmed as threatening business operations or information security.

2. Why does NIST group containment, eradication and recovery together?

NIST groups these together into Phase 3 because these activities often occur simultaneously or iteratively during a crisis. For example, a team may eradicate threats in one segment while still containing threats in another.

3. Is it mandatory to report a "low-risk" breach under POPIA?

Yes. POPIA has no risk threshold for reporting. Any unauthorised access to personal information must be reported to the Information Regulator and affected subjects as soon as reasonably possible.

4. How does threat intelligence improve incident response?

It provides context about known attackers and techniques. Integrating threat intelligence allows teams to prioritise alerts and predict an adversary's next moves during a breach.

5. How often should an incident response plan be tested?

Best practices suggest at least an annual tabletop exercise. Reviews should also follow major IT changes or actual incidents to incorporate "lessons learned".