Skip to content

Information Security Event Reporting Procedure

Publication Summary

Title Information Security Event Reporting Procedure
Author(s) Alessandro Cardinali
Issued by CEO

Version doc.

Review freq.

0.9

Yearly
Date of issue June 7, 2025
Owner CEO/Founder
Document status Draft – Final Draft - Final
Approval Date n/a
Classification Internal

Change Log

Version Date Author Comments
0.1 June 7, 2025 Olaf Jacobson First draft document

Table of Contents

Publication Summary [2](#publication-summary)

1 Introduction [4](#introduction)

1.1 Purpose of this document [4](#purpose-of-this-document)

1.2 Areas of the standard addressed [4](#areas-of-the-standard-addressed)

2 Information security event reporting procedure [5](#information-security-event-reporting-procedure)

2.1 Emergencies [5](#emergencies)

2.2 Reporting channels [5](#reporting-channels)

2.3 Reporting methods [5](#reporting-methods)

2.4 Information required [6](#information-required)

2.5 Dealing with the report [6](#dealing-with-the-report)

Introduction

It has often been said that information security is everyone’s responsibility, and this is certainly held to be true within Soon B.V.. It is expected that employees and third parties who come into contact with the organization’s people, locations, systems and procedures will remain vigilant to actual or potential information security issues. These may include:

  • Actual breaches of security measures, such as:

  • tailgating through a physical entry point

  • sharing of passwords

  • theft of property or information

  • exposure of sensitive data, such as PII, to unauthorised persons

  • Suspected information security events, such as:

  • detection of a virus on a computer

  • unusual activity on a system

  • suspicious behaviour by people in organization locations

  • becoming aware of a threat, for example via social media

  • Vulnerabilities in organization systems or controls, for example:

  • a door or window left open

  • software vulnerabilities within bespoke or externally supplied code

  • ineffective security controls

  • weaknesses in procedures that may give rise to information exposure

Such events may be deliberate or accidental, but in either case the actual or potential damage to the organization must be addressed as quickly as possible.

This procedure sets out the channels that should be used to report information security events, and how these reports will be routed to roles within the organization with the relevant responsibility for investigation and action.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon B.V. systems.

The following policies and procedures are relevant to this document:

  • Information Security Event Assessment Procedure

  • Information Security Incident Response Procedure

Purpose of this document

This document defines the organization’s procedure for employees and other parties to report information security events.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

  • A.6 People controls

  • A.6.8 Information security event reporting

Information security event reporting procedure

Emergencies

If there is a threat to life or similar emergency situation, all employees and third parties are authorised to contact emergency services (such as the police or fire service) directly and without delay.

Reporting channels

For internal events affecting the organization, all employees and third parties are authorised to report information security events via the appropriate channel.

The appropriate reporting channel for each type of event is as follows:

EVENT TYPE REPORTING CHANNEL
Technical events related to the use of ICT systems, such as password violations, viruses, exposure of data, unusual activity Help desk
Physical security issues, including tailgating, inadequate security (such as unlocked doors, open windows), possible intruders. Location Security
Issues with the design or implementation of business procedures, such as not following instructions, weaknesses in the way information is handled or transferred Manager or Supervisor
Other issues not defined Help desk

Table 1: Reporting channels by type of event

Reporting methods

The method used to report information security events will depend upon the urgency and nature of them. For urgent situations where an event is already occurring or is likely to happen imminently, verbal communication either face to face, or via the phone or similar real-time communication method (such as videoconferencing) should be used, as there is no guarantee that other channels will be monitored sufficiently closely.

Actual or suspected information security events may be reported via one or more of the following methods, according to the type of event as listed in Table 1:

  • By email, phone, SMS text, web portal or other supported channel to the Soon B.V. help desk:

  • Email: support@organization.com

  • Phone: +1 234 567 8910

  • SMS text: +44 777 572 1234

  • Web portal: support.helpdesk.organization.com

  • For physical intrusions, such as a suspected unauthorised person within a building, location security should be contacted by phone either directly on +1 234 567 8911 or via the appropriate building reception on 4444

  • An immediate manager or supervisor may be informed face to face, or via any of the internal communication channels available, such as email or messaging

Information required

When reporting an information security incident, the following details should be provided:

  • Name, role, department, location and contact details

  • A description of the nature of the event

  • An indication of the urgency of the event

  • If available, an assessment of the potential impact of the event

For events reported to the help desk, this will result in a help desk ticket being raised and a unique number assigned.

Where events are reported to other channels (for example location security or a manager), the recipient should also keep a record of the date and time of the report and the information provided, for future reference.

Dealing with the report

The recipient of the report will be responsible for assessing it and deciding what action should be taken next. This could be one of:

  • Direct action to address the event

  • Escalating it to another team for further assessment or action

  • Asking for more information

  • Deciding that no further action is required

Where appropriate, the Information Security Event Assessment Procedure will be used to determine whether an event should be treated as an incident. For events that are assessed to be actual or potential serious incidents, the Information Security Incident Response Procedure may be invoked.