ISO 27001 Information Security Event Reporting
In this ultimate guide to ISO 27001 Annex A 6.8 Information Security Event Reporting you will learn
- What is ISO 27001 Annex A 6.8
- How to implement ISO 27001 Annex A 6.8
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
Table of contents
- ISO 27001 Information Security Event Reporting
- What is ISO 27001 Annex A 6.8?
- Implementation Guide
- ISO 27001 Templates
- How to comply
- How to pass an audit
- What the auditor will check
- Top 3 Mistakes People Make
- What are the benefits of ISO 27001 6.8 Information Security Event Reporting?
- Why is Information Security Event Reporting Important?
- FAQ
- ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 6.8?
ISO 27001 Annex A 6.8 Information Security Event Reporting is an ISO 27001 Annex A control that wants you to implement a way for people to report information security events in a timely manner. You can have more than one way but have at least one.
Purpose
The purpose of ISO 27001 6.8 Information Security Event Reporting is to support the timely, consistent and effective reporting of actual or potential information security incidents / events.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 6.8 as:
The organisation should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
ISO 27001:2022 Annex A 6.8 Information Security Event Reporting
Implementation Guide
You are going to have to
- implement a process for reporting information security events
- educate people how to report events
- assign responsibility for managing information security events
- educate people who to report events to
Implement your process
The process for reporting incidents and events can take many forms and you may choose one, some or all of them. Examples include reporting
- Via email
- Via an on line form
- Via a telephone number
- Via Messenger / Chat
Who does the report go to?
Typically incidents will get reported to the information security manager. While in a larger organisation or mature organisation the first point of call is usually a unified help desk or support function that acts as the coordinator and gatekeeper and then allocates that ticket to the information security manager.
How quickly should you report suspected or actual events?
People should report suspected or actual information security events as soon as possible / at the first opportunity. Significantly, there are some laws and regulations that have very specific timelines for reporting and what needs to happen, such as the GDPR so the guidance is to tell people report as soon as they can.
What are the kind of things that should be reported?
The guidance should be that if in doubt, report it. Better to air on the side of caution. That said, the kind of information security events that should be reported include but are not limited to:
- Actual or suspect data breach
- Information Security Controls that are not working
- Loss of device
- Emailing the wrong person
- Physical security breach
- Virus infection
- Malware infection
- Systems not working as intended
- Ransomware
- Phishing email / clicking a link
ISO 27001 Templates
Having an ISO 27001 template for control 6.8 can help fast track your implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 implementation.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to comply
To comply with ISO 27001 Annex A 6.8 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Implement your information security event reporting process
- Have the process approved by management
- Assign ownership of the process to competent resource
- Tell people about the process
- Include different channels for people to be able to report events
- Plan to review your process at least annually or if significant changes occur
- Keep records of your reported events
How to pass an audit
To pass an audit of ISO 27001 Annex A 6.8 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas for compliance with Annex A 6.8. Lets go through them
1. That you have documented your process for event reporting
What this means is that you will have a document that sets out what the process for event reporting is and includes the roles and responsibilities are that are involved. It will cover the different ways in which events can be reported taking into account the culture and set up of the organisation. It will set out what needs doing and what will be done.
2. That you have allocated your roles and responsibilities
For the roles and responsible that you have defined and documented you are going to allocate people to them to do the work. Has each defined role been allocated to someone and can you say who if asked? In addition it will check that those people are competent to perform the roles.
3. That events were responded to in a timely manner
The definition of a timely manner will come down to your own circumstances but you are going to consider any legal or regulatory constraints that may be imposed. For example consider requirements for reporting data breaches under GDPR in 72 hours. The audit will check the reporting and response to incidents and that any time requirements were met.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.8 are
1. You have no evidence that anything actually happened
There needs to be records and minutes of everything. For evidence, you are need a paper trail to show it was done. Make sure you have updated communication plans, records of events, records of how you responded to events and in what timeframe. If it isn’t written down it didn’t happen.
2. One or more members of your team haven’t done what they should have done
Before the audit check that all members of the team have done what they should have. For example, do they know where the process documents are? Have events been recorded and do you know where that record it. If events led to risks or continual improvement can you show the link and evidence it. Check!
3. Your document and version control is wrong
The following are good document mark up best practice
- Keeping your document version control up to date
- making sure that version numbers match where used
- having a review evidenced in the last 12 months
- having documents that have no comments in
What are the benefits of ISO 27001 6.8 Information Security Event Reporting?
Other than your ISO 27001 certification requiring it, the following are the top 6 benefits of ISO 27001 Annex A 6.8 Information Security Event Reporting:
- You cannot get ISO 27001 certification without it.
- Protecting confidential information
- Reducing the risk of data breaches by catching events early
- Mitigating legal liability by acting and responding
- Building trust with employees and third parties
- Reduced cost of incidents by catching and managing events early
- Reputation Protection: In the event of a breach having an event reporting process in place will reduce the potential for fines and reduce the PR impact of an event
Why is Information Security Event Reporting Important?
All in all, information security event reporting is important because it helps organisations to
- Identify and assess information security risks
- Take corrective action to mitigate information security risks
- Improve information security awareness and training
- Demonstrate compliance with information security regulations
Firstly, it allows you to address the issue at hand in a timely manner and reduce the impact of the information security event. As a result, the sooner that you catch it, the less damage that it will do. Our worst case scenario is that an event goes undetected.
In fact, there are certain regulations, such as the GDPR that requires to report certain events within a certain time frame and as a result, to be compliant, we need effective reporting. In this situation, take for example a data breach of personal information which would potentially have to be reported to the regulator within 72 hours.
Additionally, information security event reporting can help you to identify and assess information security risks as part of your continual improvement process. Consequently, by collecting and recording the types of events and the impact and performing root cause analysis you are able to see if there is an underlying risk that needs addressing. At this point, if there is, it can be addressed by effective risk treatment.
FAQ
Reporting is based on your company culture and communication strategy but can include:
Via email
Via an on line form
Via a telephone number
Via Messenger / Chat
Yes. The ability for people to report events in a timely manner is fundamental to an effective information security management system.
ISO 27001 templates for ISO 27001 Annex A 6.8 are part of the ISO 27001 Toolkit
ISO 27001 Annex A 6.8 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. We would recommend ISO 27001 templates to fast track your implementation.
ISO 27001 Annex A 6.8 will take approximately 1 week to complete if you are starting from nothing and doing it yourself. Or you could download the High Table ISO 27001 Remote Working Policy.
The cost of ISO 27001 Annex A 6.8 will depend how you go about it. If you do it yourself it will be free but will take you about 1 week so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO 27001 Template then you are looking at a around £10 per template.
There are templates for ISO 27001 included in the ISO 27001 Toolkit
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| Detective | Availability Confidentiality Integrity | Detect | Information security event management | Defence |