ISO 27001:2022 Annex A 6.8 – Information Security Event Reporting

• See ISO 27002:2022 Control 6.8 for more information.
• See ISO 27001:2013 Annex A 16.1.2 for more information.
• See ISO 27001:2013 Annex A 16.1.3 for more information.

What Is ISO 27001:2022 Annex A Control 6.8?

ISO 27001:2022 Annex A 6.8 mandates that organisations create a system allowing personnel to report information security events they observe or suspect promptly and through the appropriate channels.

Information Security Events Explained

Information security breaches (also known as information security incidents) are on the rise, with growing frequency and intensity. Unfortunately, many of these occurrences go unnoticed.

Many factors can trigger information security events:

• Malicious software, such as viruses and worms, is a problem.
• Hackers gain unauthorised access to computer systems via the internet or a network of computers (“hacking”).
• Unauthorised access to computers and networks (commonly referred to as “password cracking”) is a violation of security protocols.
• Hackers who gain access to a system, or not, can illegally alter data.
• External sources infiltrating a business’s internal system to steal info or impede operations.

No matter how secure your network is, there will always be some risk of an information security event occurring. To minimise this risk, make use of various tools and techniques, such as reporting, to identify potential threats before they can cause any harm.

What is Information Security Event Reporting?

Information security event reporting is a key component of any cyber security strategy. Implementing the best technology to protect data is one thing, but understanding what’s taking place is another.

Information security event reporting is the process of noting incidents, breaches, and other cyber-based events that happen in an organisation to examine them and devise strategies to prevent repeats from occurring. Documentation, analysis and prevention strategies are all essential elements.

Why Is Information Security Event Reporting Important?

Information security event reporting is essential for any organisation; without it, no knowledge will exist as to whether the network has been infiltrated or if other potential risks exist. Without this understanding, measures to avert future incidents cannot be put in place, nor can earlier attacks be identified and remedied.

It is essential to address any incidents quickly and effectively. Response time is essential to safeguarding the business and minimising the effects on customers and other stakeholders.

Annex A 6.8 of ISO 27001:2022 was created to accomplish this.

What Is the Purpose of ISO 27001:2022 Annex A 6.8?

The aim of ISO 27001:2022 Annex A Control 6.8 is to facilitate timely, consistent and effective reporting of information security events detected by personnel.

Ensuring that incidents are swiftly reported and documented accurately is critical to ensure incident response activities and other security management responsibilities are properly supported.

Organisations should have an information security event reporting program in line with ISO 27001:2022 Annex A Control 6.8 to detect and mitigate incidents that could affect information security. The program should enable receiving, evaluating and responding to reported incidents.

ISO 27001:2022 Annex A Control 6.8 outlines the purpose and instructions for constructing an information security event reporting system in line with the ISO 27001 framework.

This control is intended to:

• Ensure personnel promptly and consistently report information security events in an efficient and effective manner.
• Proactively detect any unauthorised access or improper use of information systems.
• Facilitate the preparation of incident response plans.
• Create a base for sustained observation activities.

Regularly review incidents and trends to detect issues before they become serious (e.g. by tracking the number of incidents or how long each incident takes) should be a key part of Annex A 6.8 implementation.

What Is Involved and How to Meet the Requirements

ISO 27001:2022 Annex A 6.8 requires the following:

• Everyone should understand their obligation to report info security incidents promptly to stop or reduce their impact.
• The organisation must maintain a record of the contact for reporting data security incidents and ensure that the process is as simple, accessible, and available as can be.
• The organisation must keep records of information security incidents, such as incident reports, event logs, change requests, problem reports, and system documentation.

Per Annex A 6.8, events requiring information security reporting include:

• Ineffective information protection measures.
• Infringement of security expectations regarding confidentiality, integrity, or availability of data.
• Human mistakes.
• Failure to adhere to the information security policy, specific policies or relevant standards.
• Any infringements of physical security measures.
• System modifications that have not been submitted to the change management process.
• In the event of any malfunctions or other unusual system behaviour of software or hardware.
• In the event of any access violations.
• If any vulnerabilities occur.
• If it is suspected that a malware infection is present.

Moreover, it is not the responsibility of the personnel reporting to test the vulnerability or effectiveness of the information security event. It should be left to qualified personnel to handle this as it can result in legal liability for the employee.

Changes and Differences from ISO 27001:2013

Firstly, Annex A 6.8 in ISO 27001:2022 is not a new control, rather, it is a fusion of Annex A 16.1.2 and Annex A 16.1.3 in ISO 27001:2013. These two controls were revised in ISO 27001:2022 to make it more accessible than ISO 27001:2013.

Employees and contractors should be made aware of their responsibility to promptly report information security events and the process for doing so, including the contact person to which reports should be directed.

Employees and contractors should promptly report any information security weaknesses to the point of contact, in order to forestall information security incidents. The reporting system should be as straightforward, accessible, and attainable as possible.

You can observe that recommendations six and eight have been consolidated into one in the revised ISO 27001:2022.

Annex A 6.8 features two additional considerations not present in Annex A 16.1.2 and Annex A 16.1.3. These are:

• System alterations which have not been processed by the change control procedure.
• Suspected malware infection.

By the end, both iterations are quite similar. The largest differences are the alteration of the control number, control name, and language more approachable to users. Moreover, ISO 27001:2022 includes an attributes table and control purpose, features overlooked in the 2013 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

Who Is in Charge of This Process?

Information security is a collaborative effort and all members of the organisation should be involved. Nevertheless, there are several individuals who act as the first line of defence during security events. These people are responsible for ascertaining the right contact for reporting and managing the response to the event in order to prevent any recurrence.

Who are the first responders? This varies depending on the organisation, but typically includes:

The Chief Information Security Officer (CISO) is accountable for the security of information at their organisation. They work in conjunction with senior management to effectively reduce and manage any risks.

The Information Security Manager routinely oversees daily activities, such as monitoring of systems and dealing with incidents, including the filing of tickets with other teams.

The Chief Human Resources Officer (CHRO) has overall responsibility for human resource issues, covering recruitment, employee retention, benefits management, and employee training programs. They play a key role in making hiring decisions and fostering awareness among personnel about security event reporting.

What Do These Changes Mean for You?

To comply with the ISO 27001:2022 revison, simply ensure your information security processes remain up-to-date. No substantial changes were made.

If you have acquired an ISO 27001 certification, your current approach to information security management should conform to the new standards. Verify that information security incident reporting is incorporated into your company’s strategy.

Beginning anew, you’ll have to refer to the details provided in the revised standard.

Refer to our ISO 27001:2022 guide for more information on how Annex A 6.8 amendments will impact your business.

How ISMS.Online Helps

ISO 27001 is a framework for information security management that assists organisations in establishing a successful ISMS. This standard outlines requirements for constructing an ISMS within an organisation.

At ISMS.online, our cloud-based platform assists in constructing, sustaining and assessing an ISO 27001 standards-based Information Security Management System (ISMS). We offer customisable templates and tools to comply with ISO 27001 regulations.

This platform allows you to construct an ISMS that adheres to the international standard and utilise the checklists supplied to guarantee your information security management is up to standard. Moreover, you can exploit ISMS.online for risk and vulnerability assessment to detect any weak points in your existing infrastructure that require urgent attention.

ISMS.online provides the resources to demonstrate adherence to ISO 27001. Utilising these tools, you can prove compliance with the internationally recognised standard.

Contact us now to reserve a demonstration.