Welcome to your guide on implementing one of the most practical controls in the ISO 27001 standard. As a certification body, we see many organisations overcomplicate this process. We are here to help you keep it simple and effective. Annex A 6.8 is titled Reporting information security events. In plain English, this is the “see something, say something” rule of information security.
We will walk you through what this control means, how to set it up, and exactly what an auditor from a body like iso27001.com will look for during your audit.
Table of contents
Understanding the Basics of Annex A 6.8
The core requirement of Annex A 6.8 is straightforward. You must provide a way for your employees and contractors to report observed or suspected information security events. You must also ensure they report these events as quickly as possible.
It is important to note the difference between an event and an incident. An event is something odd or unusual that might be a problem. An incident is an event that has been confirmed as a breach or a failure. This control focuses on the reporting of events. You want your staff to report the odd things they see before those things become full disasters.
Why This Control Matters
You cannot fix a security problem if you do not know it exists. Your staff are your eyes and ears. They are the ones who will see a strange email in their inbox or notice a door that does not lock properly. If they do not tell you, the risk remains. Implementing this control reduces the time between a potential breach occurring and your team reacting to it.
Step-by-Step Implementation Guide
Implementing this control does not require expensive software. It requires clear communication and a defined process. Here is how you should approach it.
Define What Needs to be Reported
Your team cannot report security events if they do not know what one looks like. You must give them examples. Common examples include receiving a phishing email, losing a company laptop, seeing an unknown person in the office, or noticing that a computer is running unusually slow. You should list these examples in your topic-specific policy.
Establish Reporting Channels
You must make it easy for people to report issues. If the process is hard, people will ignore the problem. You should set up a dedicated email address, such as security@yourcompany.com, or use a service desk ticket system. Ensure the channel is available to everyone. We often recommend having a backup method, like a phone number, for urgent issues.
Create the Procedure
You need a documented process. This document should state who reports the event, who receives the report, and what happens next. The person receiving the report is usually the Information Security Manager or a service desk agent. We have excellent templates for these procedures available at iso27001.com that can save you time.
Train Your Staff
Once the process is defined, you must tell your staff about it. You should include this in your induction training for new joiners. You should also send regular reminders. If an auditor asks a random employee how to report a lost USB drive, that employee must know the answer immediately.
What We Expect During an Audit
As your certification body, we are looking for evidence that this system works in real life. We do not just want to see a policy document sitting on a shelf. Here is what we expect to see when we visit you.
Evidence of Communication
We will ask to see how you informed your staff about the reporting process. This could be emails, training logs, or pages on your intranet. We want to verify that everyone knows their responsibility to report events.
A Log of Reported Events
We expect to see a log or register of events that have been reported. If you tell us that you have had zero security events in the last year, we will be suspicious. It is statistically unlikely. We would rather see twenty reported events that turned out to be false alarms than see an empty log. An empty log suggests your culture discourages reporting.
Staff Awareness
We will interview your staff. We will ask them simple questions. “What would you do if you received a suspicious email?” “Who do you call if you lose your phone?” Their answers tell us if the control is effective. If they hesitate or do not know, it will be raised as a non-conformity.
Common Mistakes to Avoid
We see the same errors repeated in many audits. You can avoid them by being aware of them now.
- Blaming the messenger: If you punish people for reporting mistakes, they will stop reporting them. You must encourage a “no blame” culture for reporting.
- Complicated forms: Do not make staff fill out a ten-page form to report a strange email. They will not do it. Keep it simple.
- Ignoring reports: If staff report issues and never hear back, they assume you do not care. You should always acknowledge receipt of a report.
Final Thoughts
Implementing Annex A 6.8 is about building a culture of vigilance. It connects your technical security measures with the human element of your organisation. By making it easy and safe for staff to speak up, you significantly improve your security posture.
If you need further guidance on templates or the certification process, visit us at iso27001.com. We are here to guide you through your journey to certification.