ISO 27002:2022, Control 6.8 – Information Security Event Reporting

ISO 27002:2022 Revised Controls

Book a demo

double,exposure,of,business,man,hand,working,on,blank,screen

What Is Control 6.8?

Control 6.8 covers the need for organisations to create a system for personnel to report observed or suspected information security events through appropriate channels, and on time.

Information Security Events Explained

Information security events (also known as information security incidents) are situations in which information security is breached. The frequency and impact of such events are increasing, but the majority of them go unreported.

Information security events can be caused by many things:

  • Malicious software (malware), including viruses and worms.
  • Hackers accessing computer systems via the internet or network of computers (“hacking”).
  • Unauthorised access to computers and networks (“password cracking”).
  • Unauthorised modification of data by hackers, whether they have gained access to a system or not.
  • Infiltration of a company’s internal network by outside sources in order to steal information or disrupt operations.

An important thing to remember is that no matter how secure your network is, there will always be some risk of an information security event occurring. The goal is to minimise these risks as much as possible by using various tools and techniques, including reporting, to identify potential threats before they can cause damage.

What is Information Security Event Reporting?

Information security event reporting is a critical part of any cyber security plan. It’s one thing to have the best technology in place to protect your data, but it’s another thing entirely to know what’s happening with it.

Information security event reporting can be defined as the process of documenting incidents, breaches and other events related to cyber threats that occur within an organisation for the purposes of analysing them for future prevention and detection. In addition to recording these events, it’s also important to analyse them in order to develop strategies for preventing future incidents from happening.

Why Is Information Security Event Reporting Important?

Information security event reporting is important because without it, you won’t have any way of knowing if your network has been hacked or if there are any other potential threats facing your organisation. Without this knowledge, you won’t know how to prevent future attacks from occurring again—or even if there have been previous attacks that need addressing.

Information security events are a critical part of any organisation’s response to an incident. The speed with which you can respond to an incident is often critical for both protecting your business and limiting the impact on customers and other stakeholders.

This is what control 6.8 of ISO 27002:2022 is designed to achieve.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Attributes Table

Attributes are used to classify controls. Using these, you can easily match your control choice with regularly used industry phrases and requirements. The attributes in control 6.8 are as follows.

Control Type Information Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Detective#Confidentiality
#Integrity
#Availability
#Detect#Information Security Event Management #Defence

What Is the Purpose of Control 6.8?

The purpose of Control 6.8 – Information Security Event Reporting is to support timely, consistent and effective reporting of information security events that can be identified by personnel.

This is to ensure that information security events are reported in a timely manner and that the information is recorded accurately to support incident response activities and other security management responsibilities.

Information security event reporting is the process of documenting and logging information security events that occur in an organisation. Control 6.8 recommends that organisations need to have an information security event reporting program, which will facilitate the process of receiving, assessing and responding to reports of incidents which have a potential impact on information security for the purposes of detecting incidents and mitigating adverse effects.

Control 6.8 covers the purpose and implementation guidance for creating an information security event reporting system according to the framework as defined by ISO 27001.

This control is designed to:

  • Support timely, consistent and effective reporting of information security events that can be identified by personnel.
  • Proactively detect unauthorised access or misuse of information systems.
  • Facilitate incident response planning.
  • Provide a foundation for continuous monitoring activities.

Regular review of incidents and trends in order to identify problems before they become major incidents (for example, by monitoring the number of incidents or the time required for each incident) should also be a core component of control 6.8 implementation.

What Is Involved and How to Meet the Requirements

The following are some of the basic requirements for Control 6.8:

  • All personnel and users should be made aware of their responsibility to report information security events as quickly as possible in order to prevent or minimise the effect of information security incidents.
  • The organisation shall have a documented point of contact for reporting information security incidents to appropriate parties. The reporting mechanism should be as easy, accessible and available as possible.
  • The organisation shall maintain documentation of information security events, including incident reports, event logs, change requests, problem reports and system documentation.

According to control 6.8, situations to be considered for information security event reporting include:

  1. Ineffective information security controls.
  2. Breach of information confidentiality, integrity or availability expectations.
  3. Human errors.
  4. Non-compliance with the information security policy, topic-specific policies or applicable standards.
  5. Breaches of physical security measures.
  6. System changes that have not gone through the change management process.
  7. Malfunctions or other anomalous system behaviour of software or hardware.
  8. Access violations.
  9. Vulnerabilities.
  10. Suspected malware infection.

It is also important to point out here that it is not the place of the personnel reporting to test the vulnerability or effectiveness of the information security event. This can lead to legal liabilities for the employee and so should be left for qualified personnel to handle.

More details on the implementation guidelines can be found in the revised ISO 27002:2022.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Changes and Differences from ISO 27002:2013

In the first place, control 6.8 in ISO 27002:2022 is not a new control, rather, it is a combination of controls 16.1.2 and 16.1.3 in ISO 27002:2013. These two controls were revised in ISO 27002:2022 to make it more user-friendly to that of ISO 27002:2013.

Control 16.1.2 Reporting information security events talks about employees and contractors being made aware of their responsibility to report information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact to which the events should be reported.

Control 16.1.3 Reporting information security weaknesses recommends that all employees and contractors should report these matters to the point of contact as quickly as possible in order to prevent information security incidents. The reporting mechanism should be as easy, accessible and available as possible.

As you can see, these two recommendations were merged together into one in control 6.8 in the updated version of ISO 27002.

Two considerations were also added in control 6.8 that are missing in both control 16.1.2 and 16.1.3. These are:

  • System changes that have not gone through the change management process.
  • Suspected malware infection.

At the end of the day, both versions are somewhat similar. The main changes are the change in control number, the change in control name, and user-friendly language. Additionally, an attributes table and control purpose were added in the 2022 version of ISO 27002. These two elements are not in the controls in the 2013 version.

Who Is in Charge of This Process?

Information security is a team sport, and as such requires all members of the organisation to be involved. However, there are a few people who can be considered “first responders” when it comes to information security events. These individuals are tasked with ensuring that the appropriate point of contact is used for reporting, and that the appropriate response is taken when an event occurs and ensuring that it does not happen again.

Who are these first responders? The answer varies from organisation to organisation, but generally includes the following:

Chief Information Security Officer (CISO) – The CISO has overall responsibility for information security at their organisation and works closely with senior management to ensure that risks are appropriately mitigated and managed.

Information Security Manager – The information security manager is often responsible for day-to-day operations such as monitoring systems and responding to incidents (including raising tickets with other teams).

The Chief Human Resources Officer (CHRO) – The CHRO oversees all human resource issues including recruitment, employee retention, benefits management and employee training programs. They are also involved with hiring decisions and so can play a role in creating awareness among personnel with regards to security event reporting.

What Do These Changes Mean for You?

The ISO 27002 standard was not considerably changed, therefore all you need to do is ensure that your information security processes are in compliance with the upgrade.

If you already have an ISO 27001 certification, your current information security management approach will satisfy the new standards. You just need to ensure that your information security incident reporting is a core part of your business strategy.

If you’re starting from scratch, though, you’ll need to use the information in the new standard.

Please check our ISO 27002:2022 guide to learn more about how these changes to control 6.7 will affect your organisation.

How ISMS.Online Helps

ISO 27002 is a framework for information security management that helps organisations implement an effective information security management system (ISMS). This standard provides a set of requirements that can be used to develop an ISMS within your organisation.

At ISMS.online, our cloud-based platform helps you to create, maintain and audit your ISO 27001 standards-based information security management system (ISMS). It provides you with customisable templates and tools that you can use to follow the requirements of ISO 27002.

Using this platform, you can establish your ISMS according to the international standard and use the provided checklists to ensure that your information security processes are in good shape. You can also use ISMS.online for risk assessment and vulnerability assessment in order to identify weak points in your existing infrastructure which need immediate attention.

With all these tools and resources, ISMS.online can ultimately help you demonstrate compliance with ISO 27002.

Get in touch today to book a demo.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now