Table of contents
Information Security Event Reporting ISO 27001
I am going to show you what ISO 27001 Information Security Event Reporting is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.
What is Information Security Event Reporting?
Information Security Event Reporting is the process of documenting and communicating incidents related to security breaches or vulnerabilities in an information system. This includes everything from unauthorised access attempts to full-scale data breaches.
What is ISO 27001 Information Security Event Reporting?
ISO 27001 Annex A 6.8 Information Security Event Reporting is an ISO 27001 Annex A control that wants you to implement a way for people to report information security events in a timely manner. You can have more than one way but have at least one.
ISO 27001 Information Security Event Reporting Purpose
The purpose of ISO 27001 6.8 Information Security Event Reporting is to support the timely, consistent and effective reporting of actual or potential information security incidents / events.
ISO 27001 Information Security Event Reporting Definition
The ISO 27001 standard defines ISO 27001 Annex A 6.8 information security event reporting as:
The organisation should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
ISO 27001:2022 Annex A 6.8 Information Security Event Reporting
Implementation Guide
You are going to have to
- implement a process for reporting information security events
- educate people how to report events
- assign responsibility for managing information security events
- educate people who to report events to
How security events should be reported
The process for reporting incidents and events can take many forms and you may choose one, some or all of them. Examples include reporting
- Via email
- Via an on line form
- Via a telephone number
- Via Messenger / Chat
Who does the report go to?
Typically incidents will get reported to the information security manager. While in a larger organisation or mature organisation the first point of call is usually a unified help desk or support function that acts as the coordinator and gatekeeper and then allocates that ticket to the information security manager.
Who is responsible for investigating security events?
The responsibility for investigating security events will depend on the organisation’s specific structure and processes. However, it is typically assigned to a designated security team or individual.
How quickly should you report suspected or actual events?
People should report suspected or actual information security events as soon as possible / at the first opportunity. Significantly, there are some laws and regulations that have very specific timelines for reporting and what needs to happen, such as the GDPR so the guidance is to tell people report as soon as they can.
What types of events should be reported?
The guidance should be that if in doubt, report it. Better to air on the side of caution. That said, the kind of information security events that should be reported include but are not limited to:
- Actual or suspect data breach
- Information Security Controls that are not working
- Loss of device
- Emailing the wrong person
- Physical security breach
- Virus infection
- Malware infection
- Systems not working as intended
- Ransomware
- Phishing email / clicking a link
Watch the tutorial
Watch the ISO 27001 tutorial on information security event reporting.
ISO 27001 Templates
Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.
How to pass the audit
To comply with ISO 27001 Annex A 6.8 Information Security Event Reporting you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Implement your information security event reporting process
- Have the process approved by management
- Assign ownership of the process to competent resource
- Tell people about the process
- Include different channels for people to be able to report events
- Plan to review your process at least annually or if significant changes occur
- Keep records of your reported events
To pass an audit of ISO 27001 Annex A 6.8 Information Security Event Reporting you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas for compliance with ISO 27001 Information Security Event Reporting. Lets go through them
1. That you have documented your process for event reporting
What this means is that you will have a document that sets out what the process for event reporting is and includes the roles and responsibilities are that are involved. It will cover the different ways in which events can be reported taking into account the culture and set up of the organisation. It will set out what needs doing and what will be done.
2. That you have allocated your roles and responsibilities
For the roles and responsible that you have defined and documented you are going to allocate people to them to do the work. Has each defined role been allocated to someone and can you say who if asked? In addition it will check that those people are competent to perform the roles.
3. That events were responded to in a timely manner
The definition of a timely manner will come down to your own circumstances but you are going to consider any legal or regulatory constraints that may be imposed. For example consider requirements for reporting data breaches under GDPR in 72 hours. The audit will check the reporting and response to incidents and that any time requirements were met.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.8 Information Security Event Reporting are
1. You have no evidence that anything actually happened
There needs to be records and minutes of everything. For evidence, you are need a paper trail to show it was done. Make sure you have updated communication plans, records of events, records of how you responded to events and in what timeframe. If it isn’t written down it didn’t happen.
2. One or more members of your team haven’t done what they should have done
Before the audit check that all members of the team have done what they should have. For example, do they know where the process documents are? Have events been recorded and do you know where that record it. If events led to risks or continual improvement can you show the link and evidence it. Check!
3. Your document and version control is wrong
The following are good document mark up best practice
- Keeping your document version control up to date
- making sure that version numbers match where used
- having a review evidenced in the last 12 months
- having documents that have no comments in
ISO 27001 Information Security Event Reporting FAQ
Reporting is based on your company culture and communication strategy but can include:
Via email
Via an on line form
Via a telephone number
Via Messenger / Chat
The key requirements are:
Establishing a process for identifying, reporting, investigating, and addressing information security events.
Defining the roles and responsibilities of individuals involved in the reporting process.
Ensuring that security events are reported in a timely manner.
Conducting thorough investigations of security events to determine their root cause.
Taking appropriate corrective and preventive actions to prevent similar events from occurring in the future.
All in all, information security event reporting is important because it helps organisations to
Identify and assess information security risks
Take corrective action to mitigate information security risks
Improve information security awareness and training
Demonstrate compliance with information security regulations
Firstly, it allows you to address the issue at hand in a timely manner and reduce the impact of the information security event. As a result, the sooner that you catch it, the less damage that it will do. Our worst case scenario is that an event goes undetected.
In fact, there are certain regulations, such as the GDPR that requires to report certain events within a certain time frame and as a result, to be compliant, we need effective reporting. In this situation, take for example a data breach of personal information which would potentially have to be reported to the regulator within 72 hours.
Additionally, information security event reporting can help you to identify and assess information security risks as part of your continual improvement process. Consequently, by collecting and recording the types of events and the impact and performing root cause analysis you are able to see if there is an underlying risk that needs addressing. At this point, if there is, it can be addressed by effective risk treatment.
The benefits are:
You cannot get ISO 27001 certification without it.
Protection of confidential information
Reducing the risk of data breaches by catching events early
Mitigating legal liability by acting and responding
Building trust with employees and third parties
Reduced cost of incidents by catching and managing events early
Reputation Protection
Corrective actions should be taken to address the root cause of the event and prevent it from happening again. This may involve patching vulnerabilities, strengthening security controls, or implementing new procedures.
Yes. The ability for people to report events in a timely manner is fundamental to an effective information security management system.
ISO 27001 Annex A 6.8 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend ISO 27001 templates to fast track your implementation.
ISO 27001 Annex A 6.8 will take approximately 1 week to complete if you are starting from nothing and doing it yourself.
ISO 27001 Controls and Attribute values
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
Detective | Availability Confidentiality Integrity | Detect | Information security event management | Defence |