High Table Logo Website

ISO27001:2022

ISO27001 Clauses
ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit

Home / ISO 27001 Annex A Controls / The Ultimate Guide to ISO 27001 Annex A 6.8: Information Security Event Reporting

The Ultimate Guide to ISO 27001 Annex A 6.8: Information Security Event Reporting

Last updated Sep 12, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Information Security Event Reporting

ISO 27001 Information Security Event Reporting is the requirement for organisations to provide a way for people to report observed or suspected information security events in a timely manner. It is also known as ISO27001:2022 Annex A 6.8 Information Security Event Reporting.

Key Takeaways

  • The easiest mechanism for reporting information security incidents is via email or an online form
  • Incidents should be reported as soon as they are observed or suspected
  • People need to be educated on how to report incidents

Table of contents

Benefits of implementing Information Security Event Reporting

The benefits of implementing ISO 27001 Information Security Event Reporting include:

  • Reducing the risk of data breaches by catching events early
  • Reduced cost of incidents by catching and managing events early
  • Mitigating legal liability by acting and responding
  • You cannot get ISO 27001 certification without it
  • Protection of confidential information
  • Building trust with employees and third parties
  • Reputation Protection
ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

Watch the Video

In the video ISO 27001 Information Security Event Reporting Explained – ISO27001:2022 Annex A 6.8 show you how to implement it and how to pass the audit.

How to implement ISO 27001 Information Security Event Reporting

You are going to have to

  • implement a process for reporting information security events
  • educate people how to report events
  • assign responsibility for managing information security events
  • educate people who to report events to

Reporting Mechanisms

How security events should be reported?

The process for reporting incidents and events can take many forms and you may choose one, some or all of them. Examples of appropriate channels include reporting via:

  • email
  • an on line form
  • a telephone number
  • messenger / chat

Reporting Timeframe

How quickly should you report suspected or actual events?

People should report suspected or actual information security events as soon as possible / at the first opportunity. Significantly, there are some laws and regulations that have very specific timelines for reporting and what needs to happen, such as the GDPR so the guidance is to tell people report as soon as they can. This includes out of hours and at weekends.

Event Reporting

Who are security events are reported to?

Internal Reporting

Typically incidents will get reported to the information security manager. While in a larger organisation or mature organisation the first point of call is usually a unified help desk or support function that acts as the coordinator and gatekeeper and then allocates that ticket to the information security manager.

Reporting includes:

  • IT Service Desk: The central point for incident reporting and management
  • Chief Information Security Officer (CISO): Oversee incidents and incident response
  • information security manager: Management of security incidents and usually the first point of contact
  • Legal: Management of any legal implications of security incidents

External Reporting

External reporting is done under the guidance and direction of the legal department or representative and often includes:

  • Law enforcement
  • Regulators
  • Customers
  • Suppliers

Event Definition

What types of events should be reported?

The guidance should be that if in doubt, report it. Better to air on the side of caution. That said, the kind of information security events that should be reported include but are not limited to:

  • Actual or suspect data breach
  • Information Security Controls that are not working
  • Loss of device
  • Emailing the wrong person
  • Physical security breach
  • Virus infection
  • Malware infection
  • Systems not working as intended
  • Ransomware
  • Phishing email / clicking a link

Event Investigation

Who is responsible for investigating security events?

The responsibility for investigating security events will depend on the organisation’s specific structure and processes. However, it is typically assigned to a designated security team or individual.

How to pass the audit

To comply with ISO 27001 Annex A 6.8 and pass the audit you are going to implement the ‘how’ to the ‘what’ the control is expecting. You are going to:

  • Implement your information security event reporting process
  • Have the process approved by management
  • Assign ownership of the process to competent resource
  • Tell people about the process
  • Include different channels for people to be able to report events
  • Plan to review your process at least annually or if significant changes occur
  • Keep records of your reported events

What the auditor will check

The audit is going to check a number of areas for compliance with ISO 27001 Annex A 6.8. Lets go through them

1. That you have documented your process for event reporting

What this means is that you will have a document that sets out what the process for event reporting is and includes the roles and responsibilities are that are involved. It will cover the different ways in which events can be reported taking into account the culture and set up of the organisation. It will set out what needs doing and what will be done.

2. That you have allocated your roles and responsibilities

For the roles and responsible that you have defined and documented you are going to allocate people to them to do the work. Has each defined role been allocated to someone and can you say who if asked? In addition it will check that those people are competent to perform the roles.

3. That events were responded to in a timely manner

The definition of a timely manner will come down to your own circumstances but you are going to consider any legal or regulatory constraints that may be imposed. For example consider requirements for reporting data breaches under GDPR in 72 hours. The audit will check the reporting and response to incidents and that any time requirements were met.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.8 are

1. You have no evidence that anything actually happened

There needs to be records and minutes of everything. For evidence, you are need a paper trail to show it was done. Make sure you have updated communication plans, records of events, records of how you responded to events and in what timeframe. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Before the audit check that all members of the team have done what they should have. For example, do they know where the process documents are? Have events been recorded and do you know where that record it. If events led to risks or continual improvement can you show the link and evidence it. Check!

3. Your document and version control is wrong

The following are good document mark up best practice

  • Keeping your document version control up to date
  • making sure that version numbers match where used
  • having a review evidenced in the last 12 months
  • having documents that have no comments in
ISO 27001 Certification Strategy Session

FAQ

What are examples of how people can report information security events?

Reporting is based on your company culture and communication strategy but can include:
Via email
Via an on line form
Via a telephone number
Via Messenger / Chat

What are the key requirements of Information Security Event Reporting?

The key requirements are:
Establishing a process for identifying, reporting, investigating, and addressing information security events.
Defining the roles and responsibilities of individuals involved in the reporting process.
Ensuring that security events are reported in a timely manner.
Conducting thorough investigations of security events to determine their root cause.
Taking appropriate corrective and preventive actions to prevent similar events from occurring in the future.

Why is Information Security Event Reporting Important?

Firstly, it allows you to address the issue at hand in a timely manner and reduce the impact of the information security event. As a result, the sooner that you catch it, the less damage that it will do. Our worst case scenario is that an event goes undetected.
In fact, there are certain regulations, such as the GDPR that requires to report certain events within a certain time frame and as a result, to be compliant, we need effective reporting. In this situation, take for example a data breach of personal information which would potentially have to be reported to the regulator within 72 hours.
Additionally, information security event reporting can help you to identify and assess information security risks as part of your continual improvement process. Consequently, by collecting and recording the types of events and the impact and performing root cause analysis you are able to see if there is an underlying risk that needs addressing. At this point, if there is, it can be addressed by effective risk treatment.

What corrective actions should be taken in response to a security event?

Corrective actions should be taken to address the root cause of the event and prevent it from happening again. This may involve patching vulnerabilities, strengthening security controls, or implementing new procedures.

Do I have to implement ISO 27001 information security event reporting for ISO 27001 Certification?

Yes. The ability for people to report events in a timely manner is fundamental to an effective information security management system.

How hard is ISO 27001 Annex A 6.8 information security event reporting?

ISO 27001 Annex A 6.8 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend ISO 27001 templates to fast track your implementation.

How long will ISO 27001 Annex A 6.8 information security event reporting take me to implement?

ISO 27001 Annex A 6.8 will take approximately 1 week to complete if you are starting from nothing and doing it yourself.

ISO 27001 Logging: Annex A 8.15

ISO 27001 Annex A 5.24 Information security incident management planning and preparation

ISO 27001 Annex A 5.25 Assessment and decision on information security events

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A 5.30 ICT readiness for business continuity

Further Reading

The complete guide to ISO/IEC 27002:2022

ISO 27001 Logging and Monitoring Policy Beginner’s Guide

Information Commissioners Office Incident reporting

National Crime Agency (UK)

ISO 27001 Annex A 6.8 Attribute Table

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
DetectiveAvailability
Confidentiality
Integrity		DetectInformation security event managementDefence
, , , , , ,
Tags: Availability Confidentiality Defence Detect Detective Information Security Event Management Integrity
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.