Requirement
Requirement lens
This control makes event reporting visible and usable. Personnel need a clear channel and must report observed or suspected events quickly.
“The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.”
Plain-language meaning
People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people do not hide mistakes.
Events are not only IT problems. An open safe, lost paper record, misdirected salary slip, suspicious visitor, strange system behavior, lost phone, or attempted social engineering can all matter.
Why this matters
Unreported events cause damage to grow. They also distort risk assessment because the organization thinks fewer events are happening than reality.
Minor events can reveal weak controls. If staff quietly fix or ignore them, the organization loses the chance to correct root causes before a major incident occurs.
Implementation guidance
Implementer focus
Build reporting into culture, training, forms, contact points, and incident management. Make it easy to report and hard to ignore.
1. Define what should be reported
Personnel should understand examples of reportable events and weaknesses.
Examples:
- lost or stolen device, document, badge, or media;
- misdirected email, file, or paper record;
- suspected phishing or social engineering;
- malware alert or unusual system behavior;
- unauthorized access attempt;
- open safe, unlocked cabinet, or exposed sensitive paper;
- wrong recipient receiving personal or confidential information;
- unavailable critical service;
- suspected policy violation;
- discovered vulnerability or weakness.
The definition should include physical, human, paper-based, verbal, supplier, and technical events.
2. Provide clear reporting channels
Channels may include:
- service desk;
- security mailbox;
- hotline or phone number;
- ticketing system;
- line manager route;
- incident portal;
- supplier/service-provider route where appropriate.
Contact points should be documented, available, and included in awareness training.
3. Use standard forms and minimum information
Reporting forms should be easy to find and easy to complete.
They should capture:
- reporter and contact details where appropriate;
- date and time observed;
- what happened;
- systems, locations, information, or assets involved;
- whether information may be exposed;
- immediate action taken;
- screenshots or evidence references where safe;
- urgency or impact indicators.
The form should also tell users what not to do, such as exploiting a weakness, probing further, deleting evidence, or sharing sensitive details in the wrong channel.
4. Promote no-blame reporting
People hide mistakes when reporting is punished by default. A no-blame reporting culture does not remove accountability for deliberate misuse, but it encourages early reporting of mistakes, weaknesses, and near misses.
This links to A.6.4 Disciplinary Process. Discipline should not discourage legitimate reporting.
5. Connect reporting to incident management
Reported events should be recorded, assessed, and investigated.
This links directly to:
- A.5.24 Information Security Incident Management Planning and Preparation;
- A.5.25 Assessment and Decision on Information Security Events;
- A.5.26 Response to Information Security Incidents;
- A.5.27 Learning from Information Security Incidents.
Reporting is not complete when the form is submitted. The event needs triage, response, root-cause analysis where appropriate, closure, and feedback where suitable.
6. Define external notification triggers
Some events may trigger legal, contractual, customer, regulator, or public notification obligations. The organization should define when escalation is needed and who decides.
Timescales matter. Some obligations start when the organization becomes aware of an incident, so late internal reporting can create external compliance failure.
Audit guidance
Auditor focus
Absence of reports is not proof that event reporting works. It may show people do not recognize or report events.
Auditors should verify that event reporting procedures, channels, forms, awareness, and response linkage exist and operate.
Audit testing should include:
- event reporting procedure;
- reporting channels and contact points;
- event report form or ticket template;
- training and awareness material;
- sampled personnel interviews;
- event/incident register;
- triage and response records;
- root-cause and corrective-action records;
- evidence that reporters receive feedback where appropriate;
- procedures preventing users from exploiting identified weaknesses;
- external notification criteria and escalation paths.
If the organization claims there were no events, the auditor should interview staff and test examples. “No reports” is suspicious unless the environment is tiny and the organization can explain why.
Evidence examples
Evidence quality
Strong evidence shows that personnel know how to report, reports are recorded, and events are assessed and resolved.
| Evidence | What it proves |
|---|---|
| Event reporting procedure | Reporting process is documented |
| Reporting channel list | Contact points are defined |
| Event report form | Minimum reporting information is standardized |
| Training records | Personnel were taught to report events |
| Event register | Reports are recorded |
| Triage records | Events are assessed |
| Incident response records | Confirmed incidents are handled |
| Corrective action records | Root causes are addressed |
| Interview results | Personnel know what and how to report |
| External notification criteria | Escalation obligations are defined |
Strong evidence
- Personnel can explain what an event is and how to report it.
- Reporting channels are easy to find and use.
- Report forms capture information useful for incident management.
- Reports cover physical, paper, human, supplier, and technical events.
- Events are recorded, triaged, investigated, and closed.
- Root causes and corrective actions are tracked.
- Training emphasizes timely reporting and not exploiting weaknesses.
- External notification criteria are linked to legal and contractual obligations.
Weak evidence
- Security events are only reported informally to IT.
- Staff think only cyberattacks count as security events.
- No reports exist and no evidence of awareness testing exists.
- Forms are hard to find or do not capture useful information.
- Reported events are not triaged or closed.
- Users are encouraged to prove weaknesses by exploiting them.
- No external notification criteria or timelines.
Common failures
Implementation watchouts
Event reporting fails when people cannot recognize an event or fear consequences for reporting one.
| Failure | Why it matters |
|---|---|
| Event definition unclear | Staff do not know what to report |
| IT-only thinking | Physical, paper, people, and supplier events are missed |
| No-blame culture absent | People hide mistakes |
| Reporting channel unclear | Reports do not reach responders |
| No triage linkage | Reports are collected but not managed |
| No root-cause follow-up | Repeated weaknesses persist |
| No external notification criteria | Legal/customer deadlines can be missed |
Exam traps
Exam focus
A.6.8 is about reporting observed or suspected events through appropriate channels in a timely manner. It is not the same as full incident response.
| Trap | Correct interpretation |
|---|---|
| Only confirmed incidents need reporting | Observed or suspected events and weaknesses should be reportable |
| Security events are only IT events | Physical, paper, verbal, people, and supplier events can matter |
| No reports means the process works | It may mean staff do not recognize or report events |
| Users should prove a weakness before reporting | Users should not exploit or test weaknesses without authorization |
| Reporting ends when a ticket is opened | Events should be recorded, assessed, investigated, and closed |
| External notification can be decided later | Legal/customer timelines may require predefined escalation criteria |
Related controls and concepts
- A.6 People Controls MOC
- A.6.3 Information Security Awareness Education and Training
- A.6.4 Disciplinary Process
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.27 Learning from Information Security Incidents
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.34 Privacy and Protection of PII
- Information Security Event Report Form
- Information Security Event Reporting Channel Register
- A.6.8 Audit Evidence Pack
- A.6.8 Audit Checklist
KB-ready summary
- A.6.8 requires a timely reporting mechanism for observed or suspected information security events.
- Personnel need clear examples, channels, contact points, and reporting forms.
- Reporting should cover physical, paper, human, supplier, and technical events.
- No-blame reporting encourages early disclosure of mistakes and weaknesses.
- Reports should feed triage, incident response, root-cause review, and corrective action.
- Users should not exploit weaknesses to prove them.
- External notification triggers and timelines should be predefined.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- People controls
- Event reporting
- Incident management
- Audit
Note Metadata
Aliases: A.6.8, Information Security Event Reporting, Security Event Reporting
Source: 03 Annex A People Controls/A.6.8 Information Security Event Reporting.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
9
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
- A.6 People Controls MOC
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- A.6 People Controls MOC
- ISO 27001 A.7.4 - Physical Security Monitoring
- A.6.8 Audit Evidence Pack
- AQ-ISO27001-A.6.8 Information Security Event Reporting
- ISO 27001 A.8.7 - Protection Against Malware
- A.6 People Controls Implementation Guide
- A.6 People Controls Audit Guide
- ISO27001-A.6.8 Information Security Event Reporting
- A.6 People Controls Implementation Audit Risk Mapping
- EXAM-019 - Remote Working and Event Reporting
- ISO 27002 Annex A Control Interpretation Map
- A.6.8 Audit Checklist
- Endpoint Loss or Theft Response Checklist
- Information Security Event Report Form
- Information Security Event Reporting Channel Register
- Malware Awareness Checklist
- Physical Security Monitoring Procedure
- Sensitive Room Signage and Directory Review
- Annex A Controls MOC