1. Framework FAQs

ISO 27001: 2022 A.6.8 Information security event reporting

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.6.8 Information security event reporting.

ISO 27001: 2022 Control Description

The organization shall provide a mechanism for personnel to report  observed or suspected information security events through appropriate  channels in a timely manner.

Purpose

To support the timely, consistent, and effective reporting of information security events that can be identified by staff.

Guidance on implementation

All staff and users should be made aware of their responsibility to report information security events as promptly as possible in order to prevent or minimise the impact of information security incidents.

They should also be informed about the procedure for reporting information security events, including the appropriate contact channels for reporting such events. The reporting mechanism should be as easy, accessible, and available as possible. Information security events include incidents, breaches, and vulnerabilities.

Situations to be considered for information security event reporting include:

a) Ineffective information security controls;

b) Breaches of information confidentiality, integrity, or availability expectations;

c) Human errors;

d) Non-compliance with the information security policy, topic-specific policies, or applicable standards;

e) Breaches of physical security measures;

f) System changes that have not undergone the change management process;

g) Malfunctions or other anomalous system behaviour of software or hardware;

h) Access violations;

i) Vulnerabilities;

j) Suspected malware infection.

Staff and users should be advised not to attempt to prove suspected information security vulnerabilities. Testing vulnerabilities can be interpreted as potential misuse of the system and may also cause damage to the information system or service, corrupting or obscuring digital evidence. Ultimately this can result in legal liability for the individual performing the testing .