Class: InformationSecurityIncident

An information security incident per A.5.26, requiring response per documented procedures.

URI: iso27001:InformationSecurityIncident

 classDiagram
    class InformationSecurityIncident
    click InformationSecurityIncident href "../InformationSecurityIncident/"
      NamedEntity <|-- InformationSecurityIncident
        click NamedEntity href "../NamedEntity/"

      InformationSecurityIncident : affected_assets





        InformationSecurityIncident --> "*" Asset : affected_assets
        click Asset href "../Asset/"



      InformationSecurityIncident : affected_cia

      InformationSecurityIncident : closure_datetime

      InformationSecurityIncident : containment_actions

      InformationSecurityIncident : created_date

      InformationSecurityIncident : description

      InformationSecurityIncident : detection_method

      InformationSecurityIncident : eradication_actions

      InformationSecurityIncident : evidence_collected

      InformationSecurityIncident : id

      InformationSecurityIncident : incident_category

      InformationSecurityIncident : incident_datetime

      InformationSecurityIncident : incident_description

      InformationSecurityIncident : lessons_learned

      InformationSecurityIncident : modified_date

      InformationSecurityIncident : name

      InformationSecurityIncident : notification_required

      InformationSecurityIncident : notifications_made

      InformationSecurityIncident : post_incident_review

      InformationSecurityIncident : recovery_actions

      InformationSecurityIncident : response_actions

      InformationSecurityIncident : root_cause

      InformationSecurityIncident : severity

      InformationSecurityIncident : version

Inheritance

NamedEntity
- InformationSecurityIncident

Slots

Name	Cardinality and Range	Description	Inheritance
incident_datetime	0..1 Datetime	Date and time the incident occurred or was detected	direct
incident_category	0..1 String	Category of incident	direct
severity	0..1 String	Severity rating	direct
affected_assets	* Asset	Assets affected by this risk or incident	direct
affected_cia	* String	CIA properties affected	direct
incident_description	0..1 String	Description of the incident	direct
detection_method	0..1 String	How the incident was detected	direct
response_actions	* String	Actions taken in response	direct
containment_actions	* String	Actions to contain the incident	direct
eradication_actions	* String	Actions to eradicate the cause	direct
recovery_actions	* String	Actions to recover normal operations	direct
root_cause	0..1 String	Root cause of the nonconformity	direct
lessons_learned	0..1 String	Lessons learned from the incident	direct
evidence_collected	* String	Evidence collected	direct
notification_required	0..1 Boolean	Whether notification to authorities/parties was required	direct
notifications_made	* String	Notifications that were made	direct
closure_datetime	0..1 Datetime	Date and time of incident closure	direct
post_incident_review	0..1 String	Post-incident review findings	direct
id	1 Uriorcurie	Unique identifier for this entity instance	NamedEntity
name	1 String	Human-readable name or title	NamedEntity
description	0..1 String	Detailed description of the entity	NamedEntity
created_date	0..1 Date	Date when the entity was created	NamedEntity
modified_date	0..1 Date	Date when the entity was last modified	NamedEntity
version	0..1 String	Version identifier for the entity	NamedEntity

Usages

used by	used in	type	used
InformationSecurityEvent	linked_incident	range	InformationSecurityIncident

In Subsets

AnnexAControls

Comments

Captures response lifecycle, evidence references, and lessons learned
Reference: ISO/IEC 27001:2022 Annex A control 5.26; ISO/IEC 27002:2022 Clause 5.26. ISO/IEC standards text is copyright ISO - not reproduced here.

Identifier and Mapping Information

Annotations

property	value
annex_a_control	5.26

Schema Source

from schema: https://w3id.org/lmodel/iso27001

Mappings

Mapping Type	Mapped Value
self	iso27001:InformationSecurityIncident
native	iso27001:InformationSecurityIncident

LinkML Source

Direct

name: InformationSecurityIncident
annotations:
  annex_a_control:
    tag: annex_a_control
    value: '5.26'
description: An information security incident per A.5.26, requiring response per documented
  procedures.
comments:
- Captures response lifecycle, evidence references, and lessons learned
- 'Reference: ISO/IEC 27001:2022 Annex A control 5.26; ISO/IEC 27002:2022 Clause 5.26.
  ISO/IEC standards text is copyright ISO - not reproduced here.'
in_subset:
- annex_a_controls
from_schema: https://w3id.org/lmodel/iso27001
is_a: NamedEntity
slots:
- incident_datetime
- incident_category
- severity
- affected_assets
- affected_cia
- incident_description
- detection_method
- response_actions
- containment_actions
- eradication_actions
- recovery_actions
- root_cause
- lessons_learned
- evidence_collected
- notification_required
- notifications_made
- closure_datetime
- post_incident_review

Induced

name: InformationSecurityIncident
annotations:
  annex_a_control:
    tag: annex_a_control
    value: '5.26'
description: An information security incident per A.5.26, requiring response per documented
  procedures.
comments:
- Captures response lifecycle, evidence references, and lessons learned
- 'Reference: ISO/IEC 27001:2022 Annex A control 5.26; ISO/IEC 27002:2022 Clause 5.26.
  ISO/IEC standards text is copyright ISO - not reproduced here.'
in_subset:
- annex_a_controls
from_schema: https://w3id.org/lmodel/iso27001
is_a: NamedEntity
attributes:
  incident_datetime:
    name: incident_datetime
    description: Date and time the incident occurred or was detected.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: incident_datetime
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: datetime
  incident_category:
    name: incident_category
    description: Category of incident.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: incident_category
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
  severity:
    name: severity
    description: Severity rating.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: severity
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
  affected_assets:
    name: affected_assets
    description: Assets affected by this risk or incident.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: affected_assets
    owner: InformationSecurityIncident
    domain_of:
    - Risk
    - InformationSecurityEvent
    - InformationSecurityIncident
    range: Asset
    multivalued: true
  affected_cia:
    name: affected_cia
    description: CIA properties affected.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: affected_cia
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
    multivalued: true
  incident_description:
    name: incident_description
    description: Description of the incident.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: incident_description
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
  detection_method:
    name: detection_method
    description: How the incident was detected.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: detection_method
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
  response_actions:
    name: response_actions
    description: Actions taken in response.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: response_actions
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
    multivalued: true
  containment_actions:
    name: containment_actions
    description: Actions to contain the incident.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: containment_actions
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
    multivalued: true
  eradication_actions:
    name: eradication_actions
    description: Actions to eradicate the cause.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: eradication_actions
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
    multivalued: true
  recovery_actions:
    name: recovery_actions
    description: Actions to recover normal operations.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: recovery_actions
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
    multivalued: true
  root_cause:
    name: root_cause
    annotations:
      iso27001_clause:
        tag: iso27001_clause
        value: 10.2 b) 2)
    description: Root cause of the nonconformity.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: root_cause
    owner: InformationSecurityIncident
    domain_of:
    - Nonconformity
    - InformationSecurityIncident
    range: string
  lessons_learned:
    name: lessons_learned
    annotations:
      annex_a_control:
        tag: annex_a_control
        value: '5.27'
    description: Lessons learned from the incident.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: lessons_learned
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
  evidence_collected:
    name: evidence_collected
    annotations:
      annex_a_control:
        tag: annex_a_control
        value: '5.28'
    description: Evidence collected.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: evidence_collected
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
    multivalued: true
  notification_required:
    name: notification_required
    description: Whether notification to authorities/parties was required.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: notification_required
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: boolean
  notifications_made:
    name: notifications_made
    description: Notifications that were made.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: notifications_made
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
    multivalued: true
  closure_datetime:
    name: closure_datetime
    description: Date and time of incident closure.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: closure_datetime
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: datetime
  post_incident_review:
    name: post_incident_review
    description: Post-incident review findings.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: post_incident_review
    owner: InformationSecurityIncident
    domain_of:
    - InformationSecurityIncident
    range: string
  id:
    name: id
    description: Unique identifier for this entity instance.
    comments:
    - Should use consistent URI/CURIE format across the dataset
    examples:
    - value: iso27001:risk-001
    - value: iso27001:control-5.1
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    identifier: true
    alias: id
    owner: InformationSecurityIncident
    domain_of:
    - NamedEntity
    range: uriorcurie
    required: true
  name:
    name: name
    description: Human-readable name or title.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: name
    owner: InformationSecurityIncident
    domain_of:
    - NamedEntity
    range: string
    required: true
  description:
    name: description
    description: Detailed description of the entity.
    comments:
    - Should provide sufficient detail for understanding without external reference
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: description
    owner: InformationSecurityIncident
    domain_of:
    - NamedEntity
    range: string
  created_date:
    name: created_date
    description: Date when the entity was created.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: created_date
    owner: InformationSecurityIncident
    domain_of:
    - NamedEntity
    range: date
  modified_date:
    name: modified_date
    description: Date when the entity was last modified.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: modified_date
    owner: InformationSecurityIncident
    domain_of:
    - NamedEntity
    range: date
  version:
    name: version
    description: Version identifier for the entity.
    comments:
    - Supports document control requirements per 7.5.3 e)
    examples:
    - value: '1.0'
    - value: 2.3.1
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: version
    owner: InformationSecurityIncident
    domain_of:
    - NamedEntity
    range: string