Security & Compliance

< Back to Article List

IS-05 Incident Management Procedure

Last updated: 24 October 2024 at 11:44:36 UTC by Russell Briggs

Incident Management Procedure

 

 

 

Document Ref No

IS-0

Version No

V1

Last review date

16/10/2021

Approved by

Dom Tyler

Next review

16/10/2022

 

 

 


 

Contents

Purpose, scope and users                                                                                                2

Incident management                                                                                                        3

Receipt and classification of incidents, events, weaknesses and non-conformities   3

Treating Security Incidents                                                                                       3

Collection of evidence                                                                                              4

Learning from incidents                                                                                             4

Personal data breach notification                                                                                 4

Notifying data controllers                                                                                       4

Notifying data subjects                                                                                             4

Notifying supervisory authority                                                                                5

Document management                                                                                                     5

Version history                                                                                                                5

 

 

 

 


1.    Purpose, scope and users

The purpose of this document is to ensure the effective handling and quick response to security events, weaknesses and non-conformities.

This document is applied to the entire Information Security Management System (ISMS) scope including Data Protection policies, i.e. to all employees and assets used within the ISMS scope, as well as to suppliers and other persons outside the organisation who come into contact with systems and information within the ISMS scope.

Users of this document are all employees of Recycly , as well as all above mentioned persons.

 

2.    Incident management

An information security incident is a "single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security or business continuity" (ISO/IEC 27000).

2.1.         Receipt and classification of incidents, events, weaknesses and non-conformities

Each employee, supplier or other third party who is in contact with information and/or systems of Recycly must report any system events, weaknesses and non-conformities which could lead to a possible incident in the following way:

       Incidents, weaknesses and events must be reported to Mark Hutchinson and logged as a security incident in the Incident Log. A description of the incident as well as any corrective/preventive actions should be recorded.

 

2.2.         Treating Security Incidents

If a security incident was reported, the person most appropriate to deal with the issue should be identified and detailed in the incident log as the incident owner. The incident owner should take the following steps.

1. Take measures to contain the incident

2. Analyse the cause of the incident

3. Take corrective actions to eliminate the cause of the incident

4. Inform persons who were involved in the incident about the incident treatment process

5. Record the resolution steps and outcome in the incident log

 

2.3.         Collection of evidence

During investigations, care must be taken to preserve evidence that may help to establish the origin of technical incidents and/or be used as evidence in legal and other proceedings.

 

2.4.         Learning from incidents

Recycly must review a sample of minor incidents at least annually and must analyse recorded incidents in advance of Management Review meetings and identify causes and trends and, if necessary, suggest corrective actions.

 

3.    Personal data breach notification

In the event of a personal data breach, Recycly may be required to notify the Data Controller, Data Subjects and the Supervisory Authority.

3.1.         Notifying data controllers

When a personal data breach or suspected data breach affects personal data that is being processed on behalf of a third party, Recycly must report any personal data breach to the respective data controller/controllers without undue delay.

The Incident Owner will send notification to the controller that will include the following:

       A description of the nature of the breach

       Categories of personal data affected

       Approximate number of data subjects affected

       Name and contact details of the Incident Owner

       Potential consequences of the personal data breach

       Measures taken to address the personal data breach

       Any additional information relating to the data breach

3.2.         Notifying data subjects

The Board of Directors/Senior Management Team must assess if the personal data breach is likely to result in high risk to the rights and freedoms of the data subjects. If yes, the Incident Owner must notify without undue delay the affected data subjects.

The Notification to the data subjects must be written in clear and plain language and must contain the same information listed in Section 3.1.

If, due to the number of affected data subjects, it is disproportionately difficult to notify each affected data subject, the Incident Owner must take the necessary measures to ensure that the affected data subjects are notified by using appropriate, publicly available channels (i.e.

3.3.         Notifying supervisory authority

When the personal data breach or suspected data breach affects personal data that is being processed by Recycly as a data controller, the Incident Owner must: -

       Establish whether the personal data breach should be reported to the relevant Supervisory Authority.

       Carry out a Data Protection Impact Assessment on the processing activity affected by the data breach.

If the personal data breach is not likely to result in a risk to the rights and freedoms of the affected data subjects, no notification is required. However, the data breach should be recorded in the Incident Log.

If the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, the Supervisory Authority must be notified without undue delay and no later than 72 hours of Recycly becoming aware of the breach. Any possible reasons for delay beyond 72 hours must be communicated to the Supervisory Authority.

The notification to the Supervisory Authority must contain the same information listed in Section 3.1.

 

4.    Document management

This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.

 

 

5.    Version history

Summary of Change

Date of Change

Author

Version No

First Draft

16/10/2021

Dom Tyler

1