Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational PreventiveDetective DetectRespond High Priority

A.5.24 Information Security Incident Management Planning and Preparation

M365 Admin Path: Microsoft Sentinel > Automation > Playbooks

Evidence Source: Microsoft Sentinel

What is A.5.24 Information Security Incident Management Planning and Preparation?

ISO 27001 control A.5.24 Information Security Incident Management Planning and Preparation establishes a formal, documented incident response plan with a defined Cyber Security Incident Response Team (CSIRT) and clear roles, responsibilities, and communication channels. The organisation uses Microsoft Sentinel as its SIEM/SOAR platform to manage the incident lifecycle covering preparation, detection, response, and learning phases with at least annual tabletop exercises.

How to implement A.5.24 in Microsoft 365

Implement A.5.24 by documenting a formal IR plan

Implement A.5.24 by documenting a formal IR plan in the SharePoint ISMS Documentation Library defining CSIRT roles, responsibilities, and phases for Preparation, Detection, Containment, and Learning. Create a CSIRT Charter document with defined members, contact information, and role descriptions.

Implement Microsoft Sentinel as the central SIEM/SOAR platform

Implement Microsoft Sentinel as the central SIEM/SOAR platform for automated alert generation. Configure helpdesk system integration with Sentinel to auto-create incidents from alerts.

Establish a manual reporting channel in the helpdesk

Establish a manual reporting channel in the helpdesk for user-reported security events per A.6.8. Schedule and conduct annual tabletop IR exercises and document after-action reports.

What an auditor checks for A.5.24

  • Auditors will verify a CISO-approved IR plan document in current version defining incident phases and CSIRT structure.
  • They will check the CSIRT Charter documenting member names, roles, contact details, and escalation procedures.
  • Auditors will verify evidence of Sentinel-to-Helpdesk automation configured and operational.
  • They will review documentation of annual tabletop exercise completion with dated after-action report showing scenario, findings, and lessons learned.
  • Auditors will check proof of personnel training on incident reporting procedures.

See how your organisation scores against A.5.24 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Incident Response Planning Endpoint

IR plan documentation, playbook inventory, RACI matrices, communication templates, and tabletop exercises