ISO/IEC 27001 Control 5.27: Learning from information security incidents

Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint can provide essential information for ex-post investigation and processing of incidents, covering both the actions of attackers and responders.

MidPoint records all operations in audit trail, including actions of the attackers and responders. This information can be used to learn about the incident, as well as evaluate the steps taken to respond to incident. Reporting capabilities and assignment metadata can provide essential information about affected identities, as well as provide insights and estimates about vulnerable identities that could be affected in similar incidents in the future. Synchronization capability can be used to discover discrepancies between the policy and reality, discovering illegal accounts and privileges that were either created by attacker, or that are leftovers from incident response. Such information provides important insights to the modus operandi of an attacker, and it manifests flaws in response plans (e.g. missing clean-up instructions). Simulation capability can be used to preview the effects of changes that an attacker would make, estimating their effects on access control. Simulation can also be used to predict and validate proposed changes to policies, to reflect the post-incident knowledge.