ISO 27001 Annex A 6.8 Information Security Event Reporting

ISO 27001 Information Security Event Reporting

In this ultimate guide to ISO 27001 Annex A 6.8 Information Security Event Reporting you will learn

• What is ISO 27001 Annex A 6.8
• How to implement ISO 27001 Annex A 6.8

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 6.8 Information Security Event Reporting?

ISO 27001 Annex A 6.8 Information Security Event Reporting is an ISO 27001 control that wants you to implement a way for people to report information security events in a timely manner. You can have more than one way but have at least one.

ISO 27001 Annex A 6.8 Purpose

The purpose of ISO 27001 6.8 Information Security Event Reporting is to support the timely, consistent and effective reporting of actual or potential information security incidents / events.

ISO 27001 Annex A 6.8 Definition

The ISO 27001 standard defines ISO 27001 Annex A 6.8 as:

The organisation should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

ISO 27001:2022 Annex A 6.8 Information Security Event Reporting

ISO 27001 Annex A 6.8 Implementation Guide

You are going to have to

• implement a process for reporting information security events
• educate people how to report events
• assign responsibility for managing information security events
• educate people who to report events to

Implement your process

The process for reporting incidents and events can take many forms and you may choose one, some or all of them. Examples include reporting

• Via email
• Via an on line form
• Via a telephone number
• Via Messenger / Chat

Who does the report go to?

Typically incidents will get reported to the information security manager. While in a larger organisation or mature organisation the first point of call is usually a unified help desk or support function that acts as the coordinator and gatekeeper and then allocates that ticket to the information security manager.

How quickly should you report suspected or actual events?

People should report suspected or actual information security events as soon as possible / at the first opportunity. Significantly, there are some laws and regulations that have very specific timelines for reporting and what needs to happen, such as the GDPR so the guidance is to tell people report as soon as they can.

What are the kind of things that should be reported?

The guidance should be that if in doubt, report it. Better to air on the side of caution. That said, the kind of information security events that should be reported include but are not limited to:

• Actual or suspect data breach
• Information Security Controls that are not working
• Loss of device
• Emailing the wrong person
• Physical security breach
• Virus infection
• Malware infection
• Systems not working as intended
• Ransomware
• Phishing email / clicking a link

ISO 27001 Templates

Having an ISO 27001 template for control 6.8 can help fast track your implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 implementation.

How to comply with ISO 27001 Annex A 6.8

To comply with ISO 27001 Annex A 6.8 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

• Implement your information security event reporting process
• Have the process approved by management
• Assign ownership of the process to competent resource
• Tell people about the process
• Include different channels for people to be able to report events
• Plan to review your process at least annually or if significant changes occur
• Keep records of your reported events

How to pass an audit of ISO 27001 Annex A 6.8

To pass an audit of ISO 27001 Annex A 6.8 you are going to make sure that you have followed the steps above in how to comply.

In essence, you are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas for compliance with Annex A 6.8. Lets go through them

1. That you have documented your process for event reporting

What this means is that you will have a document that sets out what the process for event reporting is and includes the roles and responsibilities are that are involved. It will cover the different ways in which events can be reported taking into account the culture and set up of the organisation. It will set out what needs doing and what will be done.

2. That you have allocated your roles and responsibilities

For the roles and responsible that you have defined and documented you are going to allocate people to them to do the work. Has each defined role been allocated to someone and can you say who if asked? In addition it will check that those people are competent to perform the roles.

3. That events were responded to in a timely manner

The definition of a timely manner will come down to your own circumstances but you are going to consider any legal or regulatory constraints that may be imposed. For example consider requirements for reporting data breaches under GDPR in 72 hours. The audit will check the reporting and response to incidents and that any time requirements were met.

Top 3 Mistakes People Make for ISO 27001 Annex A 6.8

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.8 are

1. You have no evidence that anything actually happened

There needs to be records and minutes of everything. For evidence, you are need a paper trail to show it was done. Make sure you have updated communication plans, records of events, records of how you responded to events and in what timeframe. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Before the audit check that all members of the team have done what they should have. For example, do they know where the process documents are? Have events been recorded and do you know where that record it. If events led to risks or continual improvement can you show the link and evidence it. Check!

3. Your document and version control is wrong

The following are good document mark up best practice

• Keeping your document version control up to date
• making sure that version numbers match where used
• having a review evidenced in the last 12 months
• having documents that have no comments in

What are the benefits of ISO 27001 6.8 Information Security Event Reporting?

Other than your ISO 27001 certification requiring it, the following are the top 6 benefits of ISO 27001 Annex A 6.8 Information Security Event Reporting: 

• You cannot get ISO 27001 certification without it.
• Protecting confidential information
• Reducing the risk of data breaches by catching events early
• Mitigating legal liability by acting and responding
• Building trust with employees and third parties
• Reduced cost of incidents by catching and managing events early
• Reputation Protection: In the event of a breach having an event reporting process in place will reduce the potential for fines and reduce the PR impact of an event

Why is Information Security Event Reporting Important?

All in all, information security event reporting is important because it helps organisations to

• Identify and assess information security risks
• Take corrective action to mitigate information security risks
• Improve information security awareness and training
• Demonstrate compliance with information security regulations

Firstly, it allows you to address the issue at hand in a timely manner and reduce the impact of the information security event. As a result, the sooner that you catch it, the less damage that it will do. Our worst case scenario is that an event goes undetected.

In fact, there are certain regulations, such as the GDPR that requires to report certain events within a certain time frame and as a result, to be compliant, we need effective reporting. In this situation, take for example a data breach of personal information which would potentially have to be reported to the regulator within 72 hours.

Additionally, information security event reporting can help you to identify and assess information security risks as part of your continual improvement process. Consequently, by collecting and recording the types of events and the impact and performing root cause analysis you are able to see if there is an underlying risk that needs addressing. At this point, if there is, it can be addressed by effective risk treatment.

ISO 27001 Annex A 6.8 FAQ

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Detective	Availability Confidentiality Integrity	Detect	Information security event management	Defence