ISO/IEC 27035 — Incident Management
ISO/IEC 27035 — Incident Management — 75% covered.
4 requirements · 3 enforced · 0 designed · 0 advisory · 0 deferred.
Source: ISO/IEC 27035 specifies a structured approach to information-security incident management — planning, detection and reporting, assessment and decision, responses, and lessons learned — including the careful handling and preservation of incident evidence. KYE Protocol™ governs whether an AI-assisted incident decision under ISO/IEC 27035 may PROCEED to a consequential action — under a named accountable officer's authority, with incident-evidence chain-of-custody recorded, the assessment pinned to verifiable signal sources, and a contestability record for the lessons-learned reconstruction. KYE does not detect the incident, run the response tooling, or perform forensics. · License: ISO/IEC 27035 is an ISO/IEC international standard; KYE registry paraphrases each clause's intent and cites the standard identifier for mapping purposes only. The standard text itself is copyright ISO/IEC and is not reproduced.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Incident-evidence chain-of-custody (evidence handling) | 1 | 1 | 0 | 0 | 0 | 100% |
| Named-authority on the assessment-and-decision response | 1 | 1 | 0 | 0 | 0 | 100% |
| Contestability & lessons-learned reconstruction | 1 | 1 | 0 | 0 | 0 | 100% |
| Detection, response tooling & forensic analysis | 1 | 0 | 0 | 0 | 0 | 0% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
iso-27035.evidence-chain-of-custody |
Incident evidence proceeds only with a recorded chain-of-custody (evidence handling) | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1engines: internalrule_packs: kye:rule-pack:cyber-resilience-incidentdictionaries: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27035.assessment-decision-authority |
The assessment-and-decision response proceeds only under a recorded named-authority decision, with the assessment source-pinned | enforced | audit_events: kye.purpose.request.v1, kye.purpose.admissibility.v1, kye.evidence.tool_call.v1engines: internal, internalrule_packs: kye:rule-pack:cyber-resilience-incidentconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27035.lessons-learned-reconstruction |
Contestability & lessons-learned reconstruction of the incident decision | enforced | audit_events: kye.evidence.pack.v1, kye.replay.context_seal.v1, kye.replay.proof.v1engines: internal, internalrule_packs: kye:rule-pack:cyber-resilience-incidentconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
iso-27035.detection-response-forensics |
Detection, response tooling, and forensic analysis | out-of-scope | (no enforcement cited) |