Incident Response Frameworks: NIST SP 800-61, SANS PICERL and ISO/IEC 27035

Three frameworks dominate the incident response market: NIST SP 800-61, published by the National Institute of Standards and Technology; the PICERL model from the SANS Institute; and the ISO/IEC 27035 standard. All three describe the same fundamental cycle — prepare, detect, contain, eradicate, recover and learn — but with different emphases, granularity and audiences. Understanding the differences between them is the first step toward building an IR program that works in practice.

NIST SP 800-61: the reference technical guide

NIST Special Publication 800-61 Revision 2 (Computer Security Incident Handling Guide) is the most influential technical publication in the incident response field. Published by NIST in 2012, the document is publicly available and serves as the basis for IR programs in U.S. federal agencies and in private organizations around the world.

NIST SP 800-61 structures the IR cycle into four phases:

  1. Preparation: establishing policies, tools, communication, team training and relationships with external parties before any incident occurs.
  2. Detection and Analysis: identifying indicators of compromise, triaging alerts, classifying severity and technically analyzing the incident — including forensic evidence preservation.
  3. Containment, Eradication and Recovery: the three activities are grouped into a single iterative phase because, in practice, they overlap. Containment halts the attack's advance; eradication removes the malicious artifact or unauthorized access; recovery restores systems to a safe operational state.
  4. Post-Incident Activity: gathering lessons learned, updating controls, generating metrics and communicating with stakeholders.

The distinctive feature of NIST SP 800-61 is its technical depth. The document provides guidance on how to analyze log files, how to handle malware versus DoS versus insider-threat incidents, and how to preserve evidence for legal purposes. It is the operational reference for SOC analysts and CSIRT teams.

SANS PICERL: operational granularity

The SANS Institute's PICERL model breaks the IR cycle into six phases with distinct names, turning each step into a verifiable checkpoint:

  1. Preparation: equivalent to NIST's initial phase — plans, tools, training and communication.
  2. Identification: a phase unique to SANS that explicitly separates the moment when the team confirms an event is in fact a security incident, distinguishing false positives from real incidents before activating containment resources.
  3. Containment: immediate actions to limit impact — isolating endpoints, blocking accounts, segmenting the network.
  4. Eradication: removing the root cause — malware, backdoors, compromised accounts, exploited vulnerabilities.
  5. Recovery: safely restoring affected systems, validating integrity and returning to normal operation.
  6. Lessons Learned: formally reviewing the incident, updating runbooks and communicating improvements.

Separating Containment, Eradication and Recovery makes PICERL more intuitive as an operational checklist. On-call analysts can clearly mark off each phase, which makes it easier to communicate real-time status to managers and clients.

ISO/IEC 27035: governance and international compliance

The ISO/IEC 27035 standard (Information technology — Information security incident management) is published by the International Organization for Standardization and defines requirements and guidelines for managing information security incidents. The standard is divided into three parts: principles (Part 1), guidelines for planning and preparation (Part 2), and guidelines for incident response in information and communication technology (Part 3).

The operational cycle of ISO 27035 comprises five phases:

  1. Plan and Prepare: incident management policy, definition of roles and responsibilities, integration with the ISO 27001 ISMS, classification criteria and reporting channels.
  2. Detection and Reporting: identifying events, collecting initial information and formally reporting to the designated point of contact.
  3. Assessment and Decision: triaging the event to confirm whether it is an incident, assessing potential impact and deciding the course of action — including the possibility of escalating to crisis management.
  4. Responses: executing containment, eradication and recovery actions, including communication with internal and external stakeholders, regulatory authorities and clients where applicable.
  5. Lessons Learned and Improvement: root-cause analysis, updating ISMS controls, reviewing the incident policy and reporting to senior management.

ISO 27035 is referenced directly by controls A.5.24 through A.5.28 of ISO 27001:2022. Organizations seeking or maintaining ISO 27001 certification must demonstrate conformity with these guidelines during external audits.

Phase comparison table

Phase mapping across NIST SP 800-61, SANS PICERL and ISO/IEC 27035
NIST SP 800-61 SANS PICERL ISO/IEC 27035
Preparation Preparation Plan and Prepare
Detection and Analysis Identification Detection and Reporting
Detection and Analysis Identification Assessment and Decision
Containment, Eradication and Recovery Containment Responses
Containment, Eradication and Recovery Eradication Responses
Containment, Eradication and Recovery Recovery Responses
Post-Incident Activity Lessons Learned Lessons Learned and Improvement

Structural similarities

The three frameworks converge on fundamental points. All recognize that preparation precedes any operational activity and that the quality of the response depends directly on the investment made before an incident occurs. All close the cycle with a learning phase that must feed back into preparation — creating a loop of continuous improvement. And all recognize that preserving evidence, communicating with stakeholders and documenting throughout the process are as important as the technical containment actions.

Another point of convergence is the distinction between event and incident. All three frameworks establish that not every security alert constitutes an incident and that careful triage is essential to avoid alert fatigue and the waste of response resources.

Practical differences and when to use each one

NIST SP 800-61 is the best choice when the primary need is technical depth. SOC teams, CSIRTs and digital forensics analysts find in it detailed guidance on malware analysis, evidence preservation, log correlation and communication with authorities. It is the reference framework for organizations in the technology, financial and defense sectors that need robust operational procedures.

SANS PICERL shines as an operational communication tool. Its six phases are memorable, easily turned into checklists and allow analysts of different levels to share the same vocabulary during an active incident. It is ideal as a structure for internal runbooks and as a model for training and tabletop exercises.

ISO/IEC 27035 is indispensable for organizations that operate under international compliance requirements, especially those that maintain ISO 27001 certification or that need to demonstrate incident governance to external auditors, regulators or European corporate clients. Its management-oriented language and its alignment with the ISMS make it the natural choice for CISOs and risk managers.

Integration with the NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) 2.0 organizes cybersecurity capabilities into six functions: Govern, Identify, Protect, Detect, Respond and Recover. The CSF's Respond and Recover functions map directly to the operational core of the three IR frameworks.

In the Respond function, the CSF describes categories such as Incident Management, Incident Analysis and Incident Mitigation — each implemented by the detection, containment and eradication phases of NIST SP 800-61 and SANS PICERL, and by the reporting and decision requirements of ISO 27035. In the Recover function, the Incident Recovery Plan Execution capabilities are operationalized by the recovery and lessons-learned phases of the three frameworks.

Using the CSF as a strategic layer and the three IR frameworks as an operational layer is the approach adopted by mature security programs. The CSF communicates maturity to the board and to regulators; SP 800-61, SANS PICERL and ISO 27035 guide the day-to-day technical work.

How to map between the three frameworks

Cross-mapping between NIST, SANS and ISO 27035 is straightforward when you start from the most granular structure (SANS PICERL, with 6 phases) and identify the equivalents in the other two. The SANS Identification phase corresponds to the second half of NIST's Detection and Analysis phase and to the ISO 27035 pair Detection and Reporting + Assessment and Decision. The three operational SANS phases (Containment, Eradication, Recovery) correspond to the grouped NIST phase and to the ISO 27035 Responses phase.

In practice, the recommendation for IR programs under construction is to use ISO 27035 to structure the policy and roles, NIST SP 800-61 to write the technical runbooks by incident type, and SANS PICERL as an execution checklist that analysts follow during an active incident. This way, each framework fulfills the role it was designed for without unnecessary redundancy.

Frequently asked questions

What is the main difference between NIST SP 800-61 and SANS PICERL?

NIST SP 800-61 groups containment, eradication and recovery into a single iterative phase, recognizing that these activities occur in overlapping cycles. SANS PICERL separates them into three distinct phases and adds “Identification” as an explicit step before containment, making the model more granular for teams that need formal checkpoints between each operational action.

Does ISO/IEC 27035 replace NIST SP 800-61?

No. The two frameworks have complementary scopes. ISO/IEC 27035 is an international standard focused on the governance and management of information security programs, with an emphasis on policy, roles and integration with the ISMS (ISO 27001). NIST SP 800-61 is a technical-operational guide aimed at response teams, with detailed guidance on detection, malware analysis and evidence preservation.

How does the NIST CSF relate to these IR frameworks?

The NIST Cybersecurity Framework (CSF) organizes security capabilities into six functions: Govern, Identify, Protect, Detect, Respond and Recover. The CSF's Respond and Recover functions map directly to the IR cycles of NIST SP 800-61, SANS PICERL and ISO 27035. In practical terms, the CSF defines the “what” at the strategic level; SP 800-61 and SANS define the “how” at the operational level.

Which framework is most suitable for companies that need certification?

Organizations seeking ISO 27001 certification should structure their IR program based on ISO/IEC 27035, since it is referenced directly by Annex A of ISO 27001 (controls A.5.24–A.5.28 in the 2022 version). Companies with no certification obligation, especially in the technology and financial sectors, tend to adopt NIST SP 800-61 for its technical depth and free availability.

Is it possible to use all three frameworks at the same time?

Yes, and it is the approach adopted by mature IR programs. ISO 27035 structures the governance and policy; NIST SP 800-61 provides the technical procedures for analysis and containment; and SANS PICERL serves as the operational checklist for analysts during an active incident. The three frameworks converge on the fundamental phases and complement each other without contradiction.

How many phases does each framework have, and what are the correct names?

NIST SP 800-61 has 4 phases: Preparation; Detection and Analysis; Containment, Eradication and Recovery; Post-Incident Activity. SANS PICERL has 6 phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. ISO/IEC 27035 has 5 phases: Plan and Prepare; Detection and Reporting; Assessment and Decision; Responses; Lessons Learned and Improvement.

References

  • NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide. National Institute of Standards and Technology, 2012. Available at: nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  • NIST Cybersecurity Framework 2.0. National Institute of Standards and Technology, 2024. Available at: nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
  • SANS Institute — Incident Handler’s Handbook. Patrick Kral, SANS Reading Room, 2011. Available at: sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
  • ISO/IEC 27035-1:2023 — Information technology — Information security incident management — Part 1: Principles and process. International Organization for Standardization.
  • ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Controls A.5.24–A.5.28.

How Decripte applies these frameworks

Decripte structures incident response programs for organizations of 1 to more than 100,000 employees, using the three frameworks in an integrated way. Program governance is built on ISO/IEC 27035 and aligned with the controls of ISO 27001:2022. The technical runbooks follow NIST SP 800-61, covering the highest-incidence vectors in the Brazilian market: ransomware, credential compromise, data leaks and attacks on web applications. SOC analysts operate with checklists based on SANS PICERL, ensuring traceability of every phase during active incidents.

The result is an IR program that works for startups formalizing the process for the first time and for corporations that need to demonstrate compliance to external auditors, sector regulators such as the Central Bank and the ANPD, and clients with security requirements.

To structure or review your organization's incident response program, access the free threat management plan or explore Decripte's incident response plans.