Within the ISO27001 list of Annex A controls, we have already extensively addressed the matter of incident response. This was covered in the following controls;
However, note that Annex A control A5.25 specifically focuses on information security events. Clearly then ISO27001 sees events and incidents as two different things. But what is the difference and why is it so important?
What does the standard require?
The standard states that “The organisation shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.” (A6.8 – Information security event reporting).
Before we look at why this is important, let’s address the difference between and event and an incident. In terms of information security, an event is something which has occurred which could result in a breach of information security, and therefore would be classified as an incident. This is another example of how ISO27001 controls overlap, where this Annex A control overlaps with Annex A control 5.25 - Assessment and decision on information security events.
Note that this control speaks of both observed and suspected events. Also, note that this is about your personnel, so it is inward looking with expectations that you will arm them with mechanisms for escalating an event, so that it doesn’t become an incident or it can be handled more effectively.
Why is this required?
Have you ever spoken to someone after an incident has occurred, and heard them say “Yeah. I thought it was weird about …” Well, if you have, then you know why this control is needed.
When something happens that could threaten your security, you need to know about it as soon as possible and although there are automated systems that can identify these events (on your networks and systems), they ultimately need to inform someone.
Some Cybersecurity professionals will say that in information security, people are the weakest link. In some respects, they are right, because people are fallible, people make mistakes or act in unsuspected ways. We don’t agree with this claim, and this is worthy of further discussion, but that’s for another time. In relation to this ISO27001 control, we would argue that people are actually your strongest form of defence.
People will see that stranger hanging out, outside your office or premises, and should know what to do.
People will receive that phishing email, and know that clicking any of the links might put you and them at risk.
People will see that by using a system is acting abnormally and suspect that someone has made a change that could cause system failure or errors.
This ISO27001 control supports the need for timely, consistent and effective reporting of information security events that can be identified by your personnel, not only because it’s a good idea, but because compliance and regulations often demand it.
The General Data Protection Regulation (GDPR) and Data Protection Act (DPA) both make it very clear on the legal requirements placed upon Data Controllers. Article 33 of the GDPR states;
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay”
(A33(1).GDPR)
If you’re wondering if a Data Processor is exempt from this requirement, consider that the very next paragraph states;
“The processor shall notify the controller without undue delay after becoming aware of a personal data breach.” (A33(2).GDPR)
What the auditor is looking for
The auditor is looking for a range of technical and organisational measures that you have implemented to ensure events are reported in a timely manner. These mechanisms can include;
Assessment and decision on information security events are in place (A5.25).
Awareness, training and education on what to do if there is a suspected event.
Logs and monitoring techniques and technologies to alert someone of suspected issues.
Established reporting and communication channels, such as IT ticketing systems.
What do you need to do?
If you haven’t done so already, look carefully at ISO27001 Annex A control A5.25 - Assessment and decision on information security events, to ensure you have a mechanism for this assessment and decision-making process.
This ISO27001 control requires that your personnel know what to do in the event of suspected or observed events, so make sure you include this within your induction process. Explain what an event is, and what people should do if they suspect something isn’t quite right.
This education should focus on some of your biggest risks, but also more generally what can happen. For example, people should know who to report any errors or issues to; Is it their line manager? To a security guard? Or direct to an IT helpdesk? Of course it depends on what happens, but make it clear so that they can act in a timely manner.
Q & A
Is this Annex A control only speaking about IT events?
No, you need to remember that Information Security is about People, Process and Technology, and security events can arise in any of these areas.
For example, someone might notice that the air conditioning unit in the server room isn’t working, but this isn’t an incident – yet. It’s an event that could result in systems overheating and then shutting down, causing an outage. Yes, this is affecting IT systems, but it’s an issue with physical premises. Extending this example, someone might notice someone taking photos outside your premises, of your offices.
Dependent upon who you are, this could present a risk to you, or it could be nothing. But would people know who to report it to?
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This ISO27001 control isn’t difficult, but evidence will come from the demonstration of both organisational and technical security measures. If you have already addressed the need for training and awareness, and how to assess incidents then you are well on your way to complying with this control. Just know that it is easier to comply with this control, than it is to get it wrong.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.