Choose an Analysis Approach

This incident is a good example of why GRC work must connect technical reality to control intent. Below are two ways to study the same breach, depending on the lens you want to use.

Approach 1 — Bottom-Up (Post-Incident Findings → Issues → Missed Controls)

Start from the forensic facts (what happened), identify the underlying issues (why it happened), then map each issue to the missing control mechanisms and governance decisions (what should have existed). This is the practitioner's lens — findings-led, remediation-focused.

Findings-ledControl GapsRemediation Plan
Open Bottom-Up Solution
Approach 2 — Top-Down (ISO 27001 Controls → Events Mapping)

Start from ISO/IEC 27001 Annex A domains and map the incident events against each control intent. This approach is strong for audit-readiness, control ownership, and program-level remediation alignment.

ISO 27001Control MappingEvidence-Ready
Open ISO 27001 Solution
Note

Both approaches converge on the same root reality — UI masking does not protect data. Protection must exist before transmission, and retention excess amplifies breach impact.

Back to Problem Statement More Case Studies