Those procedures are pretty easy to develop because the remainder of this Annex A control spells them out. Your auditor will expect to see all of these formal, documented procedures in place, and evidence that they are working.Ī.16.1.2 Reporting Information Security EventsĪ good control here ensures that information security incidents and events can be reported through suitable management channels as soon as possible.Įmployees and associated interested parties (e.g. suppliers) need to be made aware of their obligations to report security incidents and you should cover that off as part of your general awareness and training. In order to do this well they will need to have awareness of exactly what constitutes an information security weakness, event or incident so be clear about that, based on the simple example above. If an information security event occurs or is thought to have occurred, it must be reported immediately to the nominated information security administrator and that needs to be documented accordingly. Some of the possible reasons for reporting a security incident include ineffective security controls assumed breaches of information integrity or confidentiality, or availability issues e.g. This control simply builds on incidents and events but might be treated slightly differently once reported (see A.16.1.4) It is essential for employees to be aware of the fact that when discovering a security weakness, they must not attempt to prove that weakness, as testing it may be interpreted as a misuse of the system, whilst also risking damaging the system and its stored information, causing security incidents! A.16.1.4 Assessment of & Decision on Information Security Events A.16.1.3 Reporting Information Security Weaknesses The auditor will want to see and will be sampling for evidence of awareness of what constitutes a weakness, event or incident amongst general staff, and the awareness of incident reporting procedures and responsibilities. Information security events must be assessed and then it can be decided if they should be classified as information security incidents, events of weaknesses. Once a security event has been reported and subsequently logged, it will then need to be assessed in order to determine the best course of action to take. This action must aim to minimise any compromise of the availability, integrity or confidentiality of information and prevent against further incidents. Ideally it will have minimum impact to other users of the services.
Consideration of exactly who needs to be made aware of the incident, internally, customers, suppliers, regulators can take place in this part of the lifecycle too.
A.16.1.5 Response to Information Security Incidents GDPR and the Data Protection Act 2018 means that some information security incidents relating to personal data need to be reported to the Supervisory Authority too, so your controls should also tie in these considerations to meet regulatory requirements and avoid duplication or gaps in work.
0 kommentar(er)
