- See ISO 27002:2022 Control 6.8 for more information.
- See ISO 27001:2013 Annex A 16.1.2 for more information.
- See ISO 27001:2013 Annex A 16.1.3 for more information.
What Is ISO 27001:2022 Annex A Control 6.8?
ISO 27001:2022 Annex A 6.8 mandates that organisations create a system allowing personnel to report information security events they observe or suspect promptly and through the appropriate channels.
Information Security Events Explained
Information security breaches (also known as information security incidents) are on the rise, with growing frequency and intensity. Unfortunately, many of these occurrences go unnoticed.
Many factors can trigger information security events:
- Malicious software, such as viruses and worms, is a problem.
- Hackers gain unauthorised access to computer systems via the internet or a network of computers (“hacking”).
- Unauthorised access to computers and networks (commonly referred to as “password cracking”) is a violation of security protocols.
- Hackers who gain access to a system, or not, can illegally alter data.
- External sources infiltrating a business’s internal system to steal info or impede operations.
No matter how secure your network is, there will always be some risk of an information security event occurring. To minimise this risk, make use of various tools and techniques, such as reporting, to identify potential threats before they can cause any harm.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What is Information Security Event Reporting?
Information security event reporting is a key component of any cyber security strategy. Implementing the best technology to protect data is one thing, but understanding what’s taking place is another.
Information security event reporting is the process of noting incidents, breaches, and other cyber-based events that happen in an organisation to examine them and devise strategies to prevent repeats from occurring. Documentation, analysis and prevention strategies are all essential elements.
Why Is Information Security Event Reporting Important?
Information security event reporting is essential for any organisation; without it, no knowledge will exist as to whether the network has been infiltrated or if other potential risks exist. Without this understanding, measures to avert future incidents cannot be put in place, nor can earlier attacks be identified and remedied.
It is essential to address any incidents quickly and effectively. Response time is essential to safeguarding the business and minimising the effects on customers and other stakeholders.
Annex A 6.8 of ISO 27001:2022 was created to accomplish this.
What Is the Purpose of ISO 27001:2022 Annex A 6.8?
The aim of ISO 27001:2022 Annex A Control 6.8 is to facilitate timely, consistent and effective reporting of information security events detected by personnel.
Ensuring that incidents are swiftly reported and documented accurately is critical to ensure incident response activities and other security management responsibilities are properly supported.
Organisations should have an information security event reporting program in line with ISO 27001:2022 Annex A Control 6.8 to detect and mitigate incidents that could affect information security. The program should enable receiving, evaluating and responding to reported incidents.
ISO 27001:2022 Annex A Control 6.8 outlines the purpose and instructions for constructing an information security event reporting system in line with the ISO 27001 framework.
This control is intended to:
- Ensure personnel promptly and consistently report information security events in an efficient and effective manner.
- Proactively detect any unauthorised access or improper use of information systems.
- Facilitate the preparation of incident response plans.
- Create a base for sustained observation activities.
Regularly review incidents and trends to detect issues before they become serious (e.g. by tracking the number of incidents or how long each incident takes) should be a key part of Annex A 6.8 implementation.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What Is Involved and How to Meet the Requirements
ISO 27001:2022 Annex A 6.8 requires the following:
- Everyone should understand their obligation to report info security incidents promptly to stop or reduce their impact.
- The organisation must maintain a record of the contact for reporting data security incidents and ensure that the process is as simple, accessible, and available as can be.
- The organisation must keep records of information security incidents, such as incident reports, event logs, change requests, problem reports, and system documentation.
Per Annex A 6.8, events requiring information security reporting include:
- Ineffective information protection measures.
- Infringement of security expectations regarding confidentiality, integrity, or availability of data.
- Human mistakes.
- Failure to adhere to the information security policy, specific policies or relevant standards.
- Any infringements of physical security measures.
- System modifications that have not been submitted to the change management process.
- In the event of any malfunctions or other unusual system behaviour of software or hardware.
- In the event of any access violations.
- If any vulnerabilities occur.
- If it is suspected that a malware infection is present.
Moreover, it is not the responsibility of the personnel reporting to test the vulnerability or effectiveness of the information security event. It should be left to qualified personnel to handle this as it can result in legal liability for the employee.
Changes and Differences from ISO 27001:2013
Firstly, Annex A 6.8 in ISO 27001:2022 is not a new control, rather, it is a fusion of Annex A 16.1.2 and Annex A 16.1.3 in ISO 27001:2013. These two controls were revised in ISO 27001:2022 to make it more accessible than ISO 27001:2013.
Employees and contractors should be made aware of their responsibility to promptly report information security events and the process for doing so, including the contact person to which reports should be directed.
Employees and contractors should promptly report any information security weaknesses to the point of contact, in order to forestall information security incidents. The reporting system should be as straightforward, accessible, and attainable as possible.
You can observe that recommendations six and eight have been consolidated into one in the revised ISO 27001:2022.
Annex A 6.8 features two additional considerations not present in Annex A 16.1.2 and Annex A 16.1.3. These are:
- System alterations which have not been processed by the change control procedure.
- Suspected malware infection.
By the end, both iterations are quite similar. The largest differences are the alteration of the control number, control name, and language more approachable to users. Moreover, ISO 27001:2022 includes an attributes table and control purpose, features overlooked in the 2013 version.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Who Is in Charge of This Process?
Information security is a collaborative effort and all members of the organisation should be involved. Nevertheless, there are several individuals who act as the first line of defence during security events. These people are responsible for ascertaining the right contact for reporting and managing the response to the event in order to prevent any recurrence.
Who are the first responders? This varies depending on the organisation, but typically includes:
The Chief Information Security Officer (CISO) is accountable for the security of information at their organisation. They work in conjunction with senior management to effectively reduce and manage any risks.
The Information Security Manager routinely oversees daily activities, such as monitoring of systems and dealing with incidents, including the filing of tickets with other teams.
The Chief Human Resources Officer (CHRO) has overall responsibility for human resource issues, covering recruitment, employee retention, benefits management, and employee training programs. They play a key role in making hiring decisions and fostering awareness among personnel about security event reporting.
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
What Do These Changes Mean for You?
To comply with the ISO 27001:2022 revison, simply ensure your information security processes remain up-to-date. No substantial changes were made.
If you have acquired an ISO 27001 certification, your current approach to information security management should conform to the new standards. Verify that information security incident reporting is incorporated into your company’s strategy.
Beginning anew, you’ll have to refer to the details provided in the revised standard.
Refer to our ISO 27001:2022 guide for more information on how Annex A 6.8 amendments will impact your business.
How ISMS.Online Helps
ISO 27001 is a framework for information security management that assists organisations in establishing a successful ISMS. This standard outlines requirements for constructing an ISMS within an organisation.
At ISMS.online, our cloud-based platform assists in constructing, sustaining and assessing an ISO 27001 standards-based Information Security Management System (ISMS). We offer customisable templates and tools to comply with ISO 27001 regulations.
This platform allows you to construct an ISMS that adheres to the international standard and utilise the checklists supplied to guarantee your information security management is up to standard. Moreover, you can exploit ISMS.online for risk and vulnerability assessment to detect any weak points in your existing infrastructure that require urgent attention.
ISMS.online provides the resources to demonstrate adherence to ISO 27001. Utilising these tools, you can prove compliance with the internationally recognised standard.
Contact us now to reserve a demonstration.
