The basics
ISO 27001 control A.6.8 Information security event reporting requires companies to enable people to report security events and incidents as quickly as possible, in order to prevent some larger damage.
Documentation
ISO 27001 control A.6.8 Information security event reporting can be documented:
- for smaller and mid-size companies by writing an Incident Management Procedure
- for larger companies by writing a Procedure for Security Event Reporting
These procedures are not mandatory but are recommended.
Implementation
In order to comply with control A.6.8 Information security event reporting you might implement the following:
- Technology — the technology for event reporting could include software, hardware, networks, or communication. Smaller companies will probably be able to report events through phone calls, message applications, or other means of communication, whereas larger companies probably need some software that centralizes reports from all available channels and redirects them to the proper personnel to treat each one of them.
- Organization/processes — you should set up a process for identifying proper channels to report security events, to whom such reports need to be sent, and which information should be reported. You can document those processes through Incident Management Procedure, or Procedure for Security Event reporting.
- People — make employees aware of why reporting security events is needed, and train them on how to identify and report a security event.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.6.8 Information security event reporting: if relevant people are notified about security events and incidents in a timely fashion.
