SID-OPS-01 — Incident Response and Management
| Property | Value |
|---|---|
| Owner | operator |
| Category | process |
| CSF Function | respond |
| Group | Operational Controls |
Description
Incident response plan with escalation procedures, communication plan, and defined roles. Classification of security events. Response SLAs. Post-incident review and lessons learned. Must include eIDAS Art 5a(20) notification requirements. Siros Foundation provides L2/L3 technical support; operator handles first response.
Evidence preservation and records protection requirements (ISO 27001 A.5.28, A.5.33): (1) Incident classification: define severity tiers (P1–P4) with criteria covering credential misuse, key compromise, data breach, service unavailability, and regulatory notification triggers. (2) Evidence preservation: upon incident detection, immediately capture and immutably preserve: structured logs (forwarded from SID-AUDIT-01 output), system snapshots, network flows, and any relevant application state. Evidence MUST be stored in a write-once or append-only store inaccessible to the incident responders themselves (chain-of-custody separation). (3) Records protection: incident records MUST be protected from modification or deletion for a minimum of 5 years (A.5.33). Access to incident records restricted to auditors and legal. (4) Notification: eIDAS Art 5a(20) requires notification to the supervisory body within 24 hours of becoming aware of a serious incident. Operator MUST document notification procedure and maintain contact list for supervisory body. (5) Post-incident review: documented within 5 business days; root-cause analysis and lessons-learned shared with Siros Foundation for platform-side improvements.
Review criteria: documented IRP, evidence preservation procedure, most recent incident drill/tabletop record, notification contact list.
Source References
Framework Requirements
EUDI Security Requirements: GEN-7.9.2-01, CS-I.2-Incident
ISO 27001 Annex A: A.5.24, A.5.25, A.5.26, A.5.27
GDPR Checklist: Have a process in place to notify the authorities