In the world of information security, the faster you know about a problem, the faster you can stop it from becoming a disaster. When ISO 27001 moved from the 2013 version to the 2022 update, the way we report these “problems” or events, received a much-needed overhaul. Annex A 6.8: Information Security Event Reporting is the new home for how your team tells you when something doesn’t look quite right.
Table of contents
The Consolidation: From 16.1.2 and 16.1.3 to 6.8
If you were working with the ISO 27001:2013 standard, you likely remember two separate requirements: Control 16.1.2 (Reporting information security events) and Control 16.1.3 (Reporting security weaknesses). These were part of the old “Information Security Incident Management” domain.
In the 2022 update, these two have been merged into a single, streamlined control: Annex A 6.8. This consolidation acknowledges that for an employee on the front lines, the distinction between an “event” and a “weakness” is often academic. The goal is simply to get them to report it. According to the experts at Hightable.io, this merger simplifies the reporting process for staff, moving away from technical jargon and toward a single “front door” for all security observations.
Moving to “People Controls”
The biggest structural change is the reclassification of this control into the People Controls theme. In 2013, reporting was seen as a technical incident management step. In 2022, it is recognized as a human behavior.
As noted by Hightable.io, placing this under “People” emphasizes that your strongest detective tool isn’t a firewall, it’s your employees. By reclassifying it this way, the standard encourages organizations to build a “no-blame” culture where staff feel empowered to report suspected malware or an unlocked door without fear of repercussions.
What is New in Annex A 6.8?
While the core objective, reporting events promptly, remains the same, the 2022 version introduces several modern considerations that weren’t as explicit in 2013:
- Suspected Malware: The 2022 version is much more specific about reporting suspected malware infections as a primary event type.
- Unprocessed System Alterations: A new focus has been placed on reporting changes to systems that didn’t go through the formal change control process.
- Simplified Language: The redrafted guidance is more user-friendly, moving away from the complex administrative requirements of the 2013 version and focusing on the mechanism of reporting.
The Role of Attributes
A key feature of the ISO 27001:2022 standard is the introduction of attributes. For Annex A 6.8, this control is now officially tagged as a Detective control. This helps security managers explain to auditors that while training (6.3) is preventive, event reporting is the mechanism used to detect that a risk has materialized.
Hightable.io highlights that these attributes (Confidentiality, Integrity, and Availability) allow you to map your reporting directly to your risk treatment plan. It proves that your reporting system is designed to catch threats to all three pillars of information security.
Practical Implementation: Making it Easy
The 2022 update places a high premium on accessibility. If the reporting process is hard, people won’t use it. To comply with the new standard, your reporting mechanism should be:
- Visible: Everyone should know exactly who to tell.
- Multiple Channels: Whether it’s a dedicated email address, a web form, or a telephone hotline, providing options increases the likelihood of a report.
- Fast: The 2022 version emphasizes reporting “at the first opportunity.” This is especially critical for meeting regulatory timelines like the 72-hour window required by GDPR.
What Will an Auditor Look For?
When transitioning from 2013 to 2022, your auditor will be looking for a paper trail of culture as much as policy. They will typically check for:
- The Event Log: A clear record of what was reported, when, and by whom.
- Feedback Loops: Evidence that when someone reported an event, they were told what happened next. This “closing of the loop” is a major focus in the 2022 guidance.
- “If in Doubt, Report” Message: Proof that your training and communications encourage reporting even if the event turns out to be a false alarm.
Why the Change Matters
The update to Annex A 6.8 reflects the reality of the modern threat landscape. In 2013, we were worried about servers. In 2026, we are worried about phishing, social engineering, and rapid ransomware. By merging event and weakness reporting into a single People Control, ISO 27001:2022 ensures that your staff are the eyes and ears of your organization.
As suggested by Hightable.io, the best way to move forward is to update your incident management policy to reflect the new 6.8 terminology and ensure your reporting “triggers” are simple and clear. This doesn’t just pass an audit; it transforms your security posture from reactive to proactive.