Incident Management Policy

Document Number: ISMS-POL-INC-01

Classification: L1 — Policy (Domain)

Version: 0.1.0

Effective Date: February 20, 2026

Author: Lucas Shin — Security Director

Approved By: Richard — CISO

Next Review Date: February 2027

Parent Policy: Information Security Policy (ISMS-POL-ISP-01)

1. Purpose

This policy establishes the framework for detecting, reporting, assessing, responding to, and learning from information security incidents across Cybercraft.

It ensures that security events are handled consistently, evidence is preserved, business impact is minimised, and lessons learned are incorporated into continuous improvement of the ISMS.

2. Scope

2.1 Applicable Incidents

This policy covers all information security incidents affecting:

Cybercraft's M365 tenant and Entra ID environment
BYOD devices accessing corporate data
Third-party SaaS tools used for business operations
Client data processed by or on behalf of Cybercraft
CA100 Appliances deployed at client sites (if within ISMS scope)

2.2 Incident Types

Category	Examples
Identity & Access	Compromised credentials, unauthorised access, MFA bypass, suspicious sign-in
Data Breach	Unauthorised data disclosure, accidental sharing, data exfiltration
Malware & Endpoint	Malware detection, device compromise, non-compliance alert
SaaS & Cloud	Unauthorised SaaS account activity, configuration change, service compromise
Physical	CA100 Appliance theft or tampering (if in ISMS scope)
Policy Violation	Intentional or negligent breach of security policies

2.3 Out of Scope

IT service disruptions without security implications (covered by Business Continuity Policy, Business Continuity Policy, ISMS-POL-BCP-01)
Client-side incidents in client-owned infrastructure (reported to client per engagement agreement)

3. Roles and Responsibilities

Role	Person	Responsibilities
CEO	Farah Herbert	Final authority on business impact decisions, external communication approval (client/regulatory notification)
CISO	Richard Williams	Escalation point for Severity 1 incidents, risk acceptance decisions, post-incident review approval
Security Director (Incident Coordinator)	Lucas Shin	Primary incident handler: detection, triage, containment, investigation, evidence collection, reporting, post-incident review
All Personnel	All staff	Report suspected incidents within 24 hours, preserve evidence, cooperate with investigation

4. Incident Classification

4.1 Severity Levels

Severity	Definition	Examples	Response Time
Severity 1 — Critical	Active breach with confirmed data exposure or system compromise	Compromised admin account, confirmed data exfiltration, ransomware	Immediate (within 1 hour)
Severity 2 — High	Confirmed security event with potential data impact	Compromised user account, malware detection on enrolled device, Conditional Access policy bypass	Within 4 hours
Severity 3 — Medium	Security event requiring investigation, no confirmed impact	Suspicious sign-in alert, failed MFA attempts, non-compliant device detected	Within 24 hours
Severity 4 — Low	Minor policy violation or informational event	Accidental file sharing (quickly remediated), minor policy deviation	Within 48 hours

4.2 Escalation Matrix

Severity	Incident Coordinator	CISO Notification	CEO Notification
Severity 1	Immediate	Immediate	Immediate
Severity 2	Immediate	Within 4 hours	As needed
Severity 3	Within 24 hours	Weekly summary	Not required
Severity 4	Within 48 hours	Monthly summary	Not required

5. Incident Lifecycle

🏗️ Incident Response Flow

graph TD
    D["Phase 1\nDetection & Reporting"] --> T["Phase 2\nTriage & Assessment"]
    T --> C["Phase 3\nContainment & Response"]
    C --> I["Phase 4\nInvestigation &\nEvidence Collection"]
    I --> R["Phase 5\nRecovery & Remediation"]
    R --> L["Phase 6\nPost-Incident Review\n(Lessons Learned)"]
    L -->|"Improvement actions"| D

5.1 Phase 1 — Detection & Reporting

Automated detection sources:

Source	Detection Scope
Microsoft Defender for Business	Endpoint threat alerts (malware, suspicious behaviour)
Entra ID Identity Protection	Risky sign-in and risky user alerts
Conditional Access	Policy failure and block events
Intune	Device non-compliance alerts
Microsoft 365 Unified Audit Log (UAL)	Suspicious user and admin activity

Manual reporting:

All personnel must report suspected security events to the Security Director within 24 hours via Teams message or email
Reports should include: what was observed, when, affected systems/data, and any actions already taken

5.2 Phase 2 — Triage & Assessment

Upon receiving a report or alert, the Security Director shall:

Verify the event — confirm whether it is a genuine security incident or a false positive
Classify the severity (per §4.1)
Assess scope — determine affected users, data, and systems
Escalate per the escalation matrix (§4.2)
Document initial assessment in the Incident Register (§7)

5.3 Phase 3 — Containment & Response

Containment actions are proportionate to severity and may include:

Action	Tool / Method	When Applied
Account disable / password reset	Entra ID	Compromised credentials
Selective Wipe	Intune	Device compromise (BYOD)
Revoke active sessions	Entra ID	Suspicious sign-in
Block sign-in	Conditional Access	Risky device/user
SaaS account suspension	Per-app admin console	Third-party service compromise
Isolate device	Defender for Business	Malware detection

BYOD-specific incident response procedures are detailed in Monitoring & Incident Response Procedure.

5.4 Phase 4 — Investigation & Evidence Collection

The Security Director shall:

Collect evidence from relevant sources:
Preserve evidence — export logs with timestamps and store securely in a designated M365 Private Channel (Confidential classification)
Maintain chain of custody — document who accessed evidence, when, and for what purpose
Timeline reconstruction — build a chronological sequence of events from first indicator to detection

5.5 Phase 5 — Recovery & Remediation

Restore affected services and accounts to normal operation
Verify containment effectiveness — confirm the threat is eliminated
Re-enable blocked accounts/devices after verification
Implement immediate compensating controls if root cause cannot be immediately resolved
Communicate resolution to affected parties

6. Post-Incident Review (Lessons Learned)

📝

Every Severity 1 and Severity 2 incident requires a formal Post-Incident Review. Severity 3–4 incidents are reviewed in aggregate during quarterly management reviews.

6.1 Review Process

Step	Action	Timeline	Owner
1	Schedule Post-Incident Review meeting	Within 5 business days of incident closure	Security Director
2	Prepare incident timeline, root cause analysis, and impact summary	Before meeting	Security Director
3	Conduct review with CISO (and CEO for Severity 1)	As scheduled	Security Director + CISO
4	Document lessons learned, root cause, and improvement actions	Within 2 business days of meeting	Security Director
5	CISO approves Post-Incident Review report	Within 5 business days	CISO
6	Track improvement actions to completion	Ongoing	Security Director

6.2 Review Outputs

Each Post-Incident Review shall produce:

Root cause analysis — why the incident occurred
Effectiveness assessment — how well detection and response performed
Gap identification — controls that failed or were absent
Improvement actions — specific, assigned, time-bound corrective actions
Policy/procedure updates — if the incident reveals gaps in existing policies

6.3 Aggregate Review

All incidents (including Severity 3–4) are reviewed in aggregate during quarterly management reviews
Trend analysis: incident types, frequency, response times, recurring root causes
Results feed into the annual risk assessment and ISMS improvement cycle

7. Incident Register

The Security Director shall maintain an Incident Register recording:

Incident ID and date
Reporter and detection source
Description and classification (severity)
Affected assets, users, and data
Containment and response actions taken
Evidence collected and storage location
Root cause and lessons learned (for Severity 1–2)
Improvement actions and status
Closure date

The Incident Register is stored in a Confidential M365 Private Channel accessible only to the Security Director and CISO.

8. External Notification

8.1 Client Notification

If an incident affects client data:

Notify the client within 72 hours of confirming data impact (or as specified by the client engagement agreement, whichever is sooner)
CEO approves all client-facing incident communications
Notification includes: nature of the incident, data affected, actions taken, and contact information

8.2 Regulatory Notification

If a data breach triggers notification obligations under applicable privacy legislation (e.g., NZ Privacy Act 2020), the CEO and CISO determine the notification approach
Legal advice may be sought for significant breaches

8.3 Law Enforcement

Engagement with law enforcement is approved by the CEO on advice from the CISO
Evidence preservation takes priority over investigation speed

9. Compliance Mapping

ISO 27001 Control	Requirement	Covered By
A.5.24	Information security incident management planning and preparation	§3 (Roles), §4 (Classification), §5.1 (Detection sources), §7 (Register)
A.5.25	Assessment and decision on information security events	§4 (Severity classification), §5.2 (Triage & Assessment)
A.5.26	Response to information security incidents	§5.3 (Containment), §5.5 (Recovery)
A.5.27	Learning from information security incidents	§6 (Post-Incident Review — Lessons Learned)
A.5.28	Collection of evidence	§5.4 (Investigation & Evidence Collection)

10. Document Control

Version	Date	Author	Changes
0.1.0	2026-02-20	Lucas Shin	Initial release — incident classification (4 severity levels), lifecycle (6 phases including lessons learned), escalation matrix, evidence collection, post-incident review, incident register, external notification (client/regulatory/law enforcement)

Review Schedule

Quarterly: Incident trend analysis, aggregate review of Severity 3–4 incidents
Annually: Full policy review, process effectiveness assessment
Ad-hoc: After any Severity 1 incident, or upon significant changes to the threat landscape or organisational structure

[End of Policy Document]