Skip to contentCYBERINFO
PeopleControl 6.8

Information Security Event Reporting

Summary

Personnel and contractors should be required to report any observed or suspected information security events through appropriate channels in a timely manner. Prompt reporting is essential for effective incident response and minimizing potential damage.

Applicability

In-Scope: Mandatory for all personnel. It is the primary human-based detection control and is vital for identifying threats that automated systems might miss (e.g., suspicious social engineering).

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Report Phishing: Enable the Report Message add-in in Outlook to allow users to flag suspicious emails directly to the security team via Microsoft Defender for Office 365.

  • Reporting Portal: Use Microsoft Forms or a dedicated Microsoft Teams app to provide a simplified, 24/7 interface for reporting physical or digital security concerns.

  • Feedback Loop: Automate notifications using Power Automate to acknowledge the user's report and provide them with status updates, reinforcing the reporting culture.

Evidence Checklist

  • Reporting Procedure: A documented and widely communicated process for reporting different types of security events.

  • Event Logs: A record of all reported events, including the time of the report and the initial assessment by the security team.

  • Awareness Evidence: Samples of posters, emails, or Teams messages that promote a culture of proactive security reporting within the organization.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How are employees trained to recognize the types of events that warrant an immediate report?

  • What is the expected timeframe for an employee to report a suspected security event once it has been identified?

  • Can you provide an example of a security event that was reported by a staff member and show how it was subsequently triaged?

  • How do you ensure that employees feel comfortable reporting mistakes (like clicking a malicious link) without fear of immediate punishment?

Templates for this control

Downloadable ISO 27001:2022 templates relevant to this control. Use them as a starting point for your own documentation.

Incident Reporting Proceduredocx

Step-by-step process for identifying, reporting, and escalating information security incidents.

Download
Incident Report Formxlsx

Structured form for documenting all details of an information security incident from detection to resolution.

Download
Incident Log Templatexlsx

Running log for tracking all reported security incidents, their status, and resolution outcomes.

Download

See all templates on the Templates page.