Control 6.8 covers the need for organisations to create a system for personnel to report observed or suspected information security events through appropriate channels, and on time.
Information security events (also known as information security incidents) are situations in which information security is breached. The frequency and impact of such events are increasing, but the majority of them go unreported.
Information security events can be caused by many things:
An important thing to remember is that no matter how secure your network is, there will always be some risk of an information security event occurring. The goal is to minimise these risks as much as possible by using various tools and techniques, including reporting, to identify potential threats before they can cause damage.
Information security event reporting is a critical part of any cyber security plan. It’s one thing to have the best technology in place to protect your data, but it’s another thing entirely to know what’s happening with it.
Information security event reporting can be defined as the process of documenting incidents, breaches and other events related to cyber threats that occur within an organisation for the purposes of analysing them for future prevention and detection. In addition to recording these events, it’s also important to analyse them in order to develop strategies for preventing future incidents from happening.
Information security event reporting is important because without it, you won’t have any way of knowing if your network has been hacked or if there are any other potential threats facing your organisation. Without this knowledge, you won’t know how to prevent future attacks from occurring again—or even if there have been previous attacks that need addressing.
Information security events are a critical part of any organisation’s response to an incident. The speed with which you can respond to an incident is often critical for both protecting your business and limiting the impact on customers and other stakeholders.
This is what control 6.8 of ISO 27002:2022 is designed to achieve.
Attributes are used to classify controls. Using these, you can easily match your control choice with regularly used industry phrases and requirements. The attributes in control 6.8 are as follows.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Detective | #Confidentiality #Integrity #Availability | #Detect | #Information Security Event Management | #Defence |
The purpose of Control 6.8 – Information Security Event Reporting is to support timely, consistent and effective reporting of information security events that can be identified by personnel.
This is to ensure that information security events are reported in a timely manner and that the information is recorded accurately to support incident response activities and other security management responsibilities.
Information security event reporting is the process of documenting and logging information security events that occur in an organisation. Control 6.8 recommends that organisations need to have an information security event reporting program, which will facilitate the process of receiving, assessing and responding to reports of incidents which have a potential impact on information security for the purposes of detecting incidents and mitigating adverse effects.
Control 6.8 covers the purpose and implementation guidance for creating an information security event reporting system according to the framework as defined by ISO 27001.
This control is designed to:
Regular review of incidents and trends in order to identify problems before they become major incidents (for example, by monitoring the number of incidents or the time required for each incident) should also be a core component of control 6.8 implementation.
The following are some of the basic requirements for Control 6.8:
According to control 6.8, situations to be considered for information security event reporting include:
It is also important to point out here that it is not the place of the personnel reporting to test the vulnerability or effectiveness of the information security event. This can lead to legal liabilities for the employee and so should be left for qualified personnel to handle.
More details on the implementation guidelines can be found in the revised ISO 27002:2022.
In the first place, control 6.8 in ISO 27002:2022 is not a new control, rather, it is a combination of controls 16.1.2 and 16.1.3 in ISO 27002:2013. These two controls were revised in ISO 27002:2022 to make it more user-friendly to that of ISO 27002:2013.
Control 16.1.2 Reporting information security events talks about employees and contractors being made aware of their responsibility to report information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact to which the events should be reported.
Control 16.1.3 Reporting information security weaknesses recommends that all employees and contractors should report these matters to the point of contact as quickly as possible in order to prevent information security incidents. The reporting mechanism should be as easy, accessible and available as possible.
As you can see, these two recommendations were merged together into one in control 6.8 in the updated version of ISO 27002.
Two considerations were also added in control 6.8 that are missing in both control 16.1.2 and 16.1.3. These are:
At the end of the day, both versions are somewhat similar. The main changes are the change in control number, the change in control name, and user-friendly language. Additionally, an attributes table and control purpose were added in the 2022 version of ISO 27002. These two elements are not in the controls in the 2013 version.
Information security is a team sport, and as such requires all members of the organisation to be involved. However, there are a few people who can be considered “first responders” when it comes to information security events. These individuals are tasked with ensuring that the appropriate point of contact is used for reporting, and that the appropriate response is taken when an event occurs and ensuring that it does not happen again.
Who are these first responders? The answer varies from organisation to organisation, but generally includes the following:
Chief Information Security Officer (CISO) – The CISO has overall responsibility for information security at their organisation and works closely with senior management to ensure that risks are appropriately mitigated and managed.
Information Security Manager – The information security manager is often responsible for day-to-day operations such as monitoring systems and responding to incidents (including raising tickets with other teams).
The Chief Human Resources Officer (CHRO) – The CHRO oversees all human resource issues including recruitment, employee retention, benefits management and employee training programs. They are also involved with hiring decisions and so can play a role in creating awareness among personnel with regards to security event reporting.
The ISO 27002 standard was not considerably changed, therefore all you need to do is ensure that your information security processes are in compliance with the upgrade.
If you already have an ISO 27001 certification, your current information security management approach will satisfy the new standards. You just need to ensure that your information security incident reporting is a core part of your business strategy.
If you’re starting from scratch, though, you’ll need to use the information in the new standard.
Please check our ISO 27002:2022 guide to learn more about how these changes to control 6.7 will affect your organisation.
ISO 27002 is a framework for information security management that helps organisations implement an effective information security management system (ISMS). This standard provides a set of requirements that can be used to develop an ISMS within your organisation.
At ISMS.online, our cloud-based platform helps you to create, maintain and audit your ISO 27001 standards-based information security management system (ISMS). It provides you with customisable templates and tools that you can use to follow the requirements of ISO 27002.
Using this platform, you can establish your ISMS according to the international standard and use the provided checklists to ensure that your information security processes are in good shape. You can also use ISMS.online for risk assessment and vulnerability assessment in order to identify weak points in your existing infrastructure which need immediate attention.
With all these tools and resources, ISMS.online can ultimately help you demonstrate compliance with ISO 27002.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
