Which are the phases of the ISO 27035-1 process for handling security incidents?

ISO 27035-1 treats incident handling as a full lifecycle that starts before any incident and ends with improvements to prevent similar events. The phases are: Prepare, which sets up the incident response capability—roles, governance, processes, training, and tools so the team can act quickly and effectively. Identify and report is about recognizing incidents promptly, logging them with essential details, and escalating to the right people so they’re managed in a timely way. Assess involves understanding the incident’s scope, impact, and severity, and deciding on the appropriate actions and escalation. Respond covers the actual containment, eradication, recovery, and coordination to restore operations while preserving evidence for lessons learned. Finally, Lessons learned is the post-incident review that captures root causes and outcomes, feeding updates to plans, controls, and training to improve future readiness. This sequence emphasizes preparation and continual improvement, which the other options don’t fully provide—one reflects a containment-focused flow, another is generic project work steps, and another lacks essential incident-management elements.