ISO 27001:2022 Annex A Control 6.8

Information Security Event Reporting

Book a demo

blurred,image,,people,silhouette,collaborating,in,office,interior.,defocused,space

What Is ISO 27001:2022 Annex A Control 6.8?

ISO 27001:2022 Annex A 6.8 mandates that organisations create a system allowing personnel to report information security events they observe or suspect promptly and through the appropriate channels.

Information Security Events Explained

Information security breaches (also known as information security incidents) are on the rise, with growing frequency and intensity. Unfortunately, many of these occurrences go unnoticed.

Many factors can trigger information security events:

  • Malicious software, such as viruses and worms, is a problem.
  • Hackers gain unauthorised access to computer systems via the internet or a network of computers (“hacking”).
  • Unauthorised access to computers and networks (commonly referred to as “password cracking”) is a violation of security protocols.
  • Hackers who gain access to a system, or not, can illegally alter data.
  • External sources infiltrating a business’s internal system to steal info or impede operations.

No matter how secure your network is, there will always be some risk of an information security event occurring. To minimise this risk, make use of various tools and techniques, such as reporting, to identify potential threats before they can cause any harm.

What is Information Security Event Reporting?

Information security event reporting is a key component of any cyber security strategy. Implementing the best technology to protect data is one thing, but understanding what’s taking place is another.

Information security event reporting is the process of noting incidents, breaches, and other cyber-based events that happen in an organisation to examine them and devise strategies to prevent repeats from occurring. Documentation, analysis and prevention strategies are all essential elements.

Why Is Information Security Event Reporting Important?

Information security event reporting is essential for any organisation; without it, no knowledge will exist as to whether the network has been infiltrated or if other potential risks exist. Without this understanding, measures to avert future incidents cannot be put in place, nor can earlier attacks be identified and remedied.

It is essential to address any incidents quickly and effectively. Response time is essential to safeguarding the business and minimising the effects on customers and other stakeholders.

Annex A 6.8 of ISO 27001:2022 was created to accomplish this.

What Is the Purpose of ISO 27001:2022 Annex A 6.8?

The aim of ISO 27001:2022 Annex A Control 6.8 is to facilitate timely, consistent and effective reporting of information security events detected by personnel.

Ensuring that incidents are swiftly reported and documented accurately is critical to ensure incident response activities and other security management responsibilities are properly supported.

Organisations should have an information security event reporting program in line with ISO 27001:2022 Annex A Control 6.8 to detect and mitigate incidents that could affect information security. The program should enable receiving, evaluating and responding to reported incidents.

ISO 27001:2022 Annex A Control 6.8 outlines the purpose and instructions for constructing an information security event reporting system in line with the ISO 27001 framework.

This control is intended to:

  • Ensure personnel promptly and consistently report information security events in an efficient and effective manner.
  • Proactively detect any unauthorised access or improper use of information systems.
  • Facilitate the preparation of incident response plans.
  • Create a base for sustained observation activities.

Regularly review incidents and trends to detect issues before they become serious (e.g. by tracking the number of incidents or how long each incident takes) should be a key part of Annex A 6.8 implementation.

What Is Involved and How to Meet the Requirements

ISO 27001:2022 Annex A 6.8 requires the following:

  • Everyone should understand their obligation to report info security incidents promptly to stop or reduce their impact.
  • The organisation must maintain a record of the contact for reporting data security incidents and ensure that the process is as simple, accessible, and available as can be.
  • The organisation must keep records of information security incidents, such as incident reports, event logs, change requests, problem reports, and system documentation.

Per Annex A 6.8, events requiring information security reporting include:

  • Ineffective information protection measures.
  • Infringement of security expectations regarding confidentiality, integrity, or availability of data.
  • Human mistakes.
  • Failure to adhere to the information security policy, specific policies or relevant standards.
  • Any infringements of physical security measures.
  • System modifications that have not been submitted to the change management process.
  • In the event of any malfunctions or other unusual system behaviour of software or hardware.
  • In the event of any access violations.
  • If any vulnerabilities occur.
  • If it is suspected that a malware infection is present.

Moreover, it is not the responsibility of the personnel reporting to test the vulnerability or effectiveness of the information security event. It should be left to qualified personnel to handle this as it can result in legal liability for the employee.

Changes and Differences from ISO 27001:2013

Firstly, Annex A 6.8 in ISO 27001:2022 is not a new control, rather, it is a fusion of Annex A 16.1.2 and Annex A 16.1.3 in ISO 27001:2013. These two controls were revised in ISO 27001:2022 to make it more accessible than ISO 27001:2013.

Employees and contractors should be made aware of their responsibility to promptly report information security events and the process for doing so, including the contact person to which reports should be directed.

Employees and contractors should promptly report any information security weaknesses to the point of contact, in order to forestall information security incidents. The reporting system should be as straightforward, accessible, and attainable as possible.

You can observe that recommendations six and eight have been consolidated into one in the revised ISO 27001:2022.

Annex A 6.8 features two additional considerations not present in Annex A 16.1.2 and Annex A 16.1.3. These are:

  • System alterations which have not been processed by the change control procedure.
  • Suspected malware infection.

By the end, both iterations are quite similar. The largest differences are the alteration of the control number, control name, and language more approachable to users. Moreover, ISO 27001:2022 includes an attributes table and control purpose, features overlooked in the 2013 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

Information security is a collaborative effort and all members of the organisation should be involved. Nevertheless, there are several individuals who act as the first line of defence during security events. These people are responsible for ascertaining the right contact for reporting and managing the response to the event in order to prevent any recurrence.

Who are the first responders? This varies depending on the organisation, but typically includes:

The Chief Information Security Officer (CISO) is accountable for the security of information at their organisation. They work in conjunction with senior management to effectively reduce and manage any risks.

The Information Security Manager routinely oversees daily activities, such as monitoring of systems and dealing with incidents, including the filing of tickets with other teams.

The Chief Human Resources Officer (CHRO) has overall responsibility for human resource issues, covering recruitment, employee retention, benefits management, and employee training programs. They play a key role in making hiring decisions and fostering awareness among personnel about security event reporting.

What Do These Changes Mean for You?

To comply with the ISO 27001:2022 revison, simply ensure your information security processes remain up-to-date. No substantial changes were made.

If you have acquired an ISO 27001 certification, your current approach to information security management should conform to the new standards. Verify that information security incident reporting is incorporated into your company’s strategy.

Beginning anew, you’ll have to refer to the details provided in the revised standard.

Refer to our ISO 27001:2022 guide for more information on how Annex A 6.8 amendments will impact your business.

How ISMS.Online Helps

ISO 27001 is a framework for information security management that assists organisations in establishing a successful ISMS. This standard outlines requirements for constructing an ISMS within an organisation.

At ISMS.online, our cloud-based platform assists in constructing, sustaining and assessing an ISO 27001 standards-based Information Security Management System (ISMS). We offer customisable templates and tools to comply with ISO 27001 regulations.

This platform allows you to construct an ISMS that adheres to the international standard and utilise the checklists supplied to guarantee your information security management is up to standard. Moreover, you can exploit ISMS.online for risk and vulnerability assessment to detect any weak points in your existing infrastructure that require urgent attention.

ISMS.online provides the resources to demonstrate adherence to ISO 27001. Utilising these tools, you can prove compliance with the internationally recognised standard.

Contact us now to reserve a demonstration.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.