A.6.8 — Do employees know how to report IS events, and is reporting actively encouraged?
Demonstrate that employees understand how to report information security events through defined channels and that the organization actively promotes and facilitates such reporting.
Description
What this control does
This control ensures that employees are trained and equipped with clear procedures to report information security events, incidents, weaknesses, and potential threats through established channels. Organizations must provide accessible reporting mechanisms (e.g., email aliases, ticketing systems, hotlines), communicate them regularly through training and awareness campaigns, and create a no-blame culture that actively encourages timely reporting. Effective incident reporting reduces detection-to-response time and prevents minor events from escalating into major breaches.
Control objective
What auditing this proves
Demonstrate that employees understand how to report information security events through defined channels and that the organization actively promotes and facilitates such reporting.
Associated risks
Risks this control addresses
- Delayed incident detection and response due to employees failing to recognize or report suspicious activities
- Security events escalating into major breaches because staff do not know whom to contact or how to escalate
- Fear of reprisal discouraging employees from reporting security mistakes or policy violations, hiding critical intelligence
- Inconsistent or ad-hoc reporting pathways causing loss of event data and preventing trend analysis
- External attackers exploiting social engineering or phishing because employees lack confidence in reporting suspicious communications
- Insider threats going undetected when colleagues observe anomalous behavior but have no clear reporting mechanism
- Regulatory non-compliance due to unreported data breaches or security incidents exceeding mandated notification windows
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's information security event reporting policy, procedure, and any published guidance materials or job aids.
- Interview a stratified sample of employees across different departments and seniority levels to assess their knowledge of reporting channels, contact points, and what constitutes a reportable event.
- Review security awareness training materials and records to confirm that incident reporting procedures, channels, and examples are explicitly covered in onboarding and periodic refresher training.
- Examine internal communications (intranet postings, newsletters, posters, email campaigns) from the past 12 months for evidence of active promotion and reminders about incident reporting.
- Request and analyze incident management system logs or ticketing records to verify that reports are being received from non-IT staff, demonstrating awareness and willingness to report.
- Conduct a simulated phishing or social engineering exercise and observe whether recipients report the test event through official channels within a reasonable timeframe.
- Review the organization's disciplinary and HR policies to confirm the existence of a no-blame or just culture statement that protects good-faith reporters from punitive action.
- Verify that reporting mechanisms are accessible and user-friendly by testing each channel (e.g., submitting a test report via email alias, web form, or hotline) and confirming receipt acknowledgment.