Information Security Event Reporting - ISO 27001 Annex A Control

ISO 27001 Annex A 6.8

If staff cannot easily report what they have seen, the organisation will not hear about it.

ISO 27001 Annex A 6.8 - Information Security Event Reporting

Most information security incidents start as a small observation by someone close to the work - a phishing email that looks suspicious, a lost device, a system behaving oddly, an email sent to the wrong recipient. The control is about making sure those observations reach the right people quickly enough that the response can be effective. Lost time at the start of an incident often turns a minor event into a major one.

The mechanism needs to be obvious and easy to use. A reporting route that requires staff to dig through the intranet to find the right form will not be used. The clearest practice is a simple, well-known route - typically a single email address, a button in the email client for phishing, or a clearly publicised contact - combined with a culture where people know they will not be punished for reporting something that turns out to be a false alarm.

The control sits alongside the wider incident management process under Annex A 5.24 to 5.27. Reporting is the entry point to that process. The faster the reports come in, the faster the assessment can happen, and the more effective the response can be. Encouraging reporting, even of suspected events that may turn out to be benign, is generally better than discouraging it.

The biggest barrier to reporting is fear of getting in trouble. If staff worry that admitting they clicked on a phishing link will lead to disciplinary action, they will not report it - and the organisation only finds out when the consequences land later. The opposite culture, where prompt reporting is recognised as the right thing to do regardless of how the event started, gets significantly better information into the incident response process.

Practical Compliance Guidance

Event reporting is described in the IMS1 Manual in Section 8.2 Information Security Arrangements. The improvement request form provides the standard route for reports that do not need immediate incident handling.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit inlcuding the IMS1 Manual, policies, procedures, registers and audit checklists.
F-Q16 Improvement Request	The improvement request form used to capture observations, suggestions and reports of issues. Use as the standard route for raising security observations alongside the immediate incident reporting channel.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What kinds of events should be reported?

Anything that could be relevant to information security - phishing attempts, suspicious emails, lost or stolen devices, unauthorised access attempts, unusual system behaviour, accidental disclosures, near-misses, and observations about controls that are not working as expected. Better to over-report and let the assessment process filter than to under-report and miss something significant.

Will staff be in trouble for reporting an event they caused?

The position should be that prompt and honest reporting is welcomed and is the right thing to do, regardless of how the event started. Genuine errors and near-misses should be treated as learning opportunities. The disciplinary process under A.6.4 only comes into play for deliberate or repeated breaches, not for honest mistakes that have been promptly reported.

How is the reporting route communicated?

Through induction, through awareness training, through visible reminders such as posters or intranet links, and through the People Security Policy. The route should be simple enough to remember without having to look it up - typically a single email address or contact point - and should be reinforced regularly so it stays in front of staff.

Further Resources