How do you implement A.6.8 in Microsoft 365?

A.6.8 Information Security Event Reporting can be implemented in Microsoft 365 using Microsoft Sentinel > Incidents; Microsoft Purview > Insider Risk Management > Alerts; Microsoft Defender > Email & collaboration > Submissions. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.6.8?

Auditors verify that A.6.8 Information Security Event Reporting is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.6.8: Information Security Event Reporting — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.6.8 Information Security Event Reporting requires organisations to provide mechanisms for personnel to report observed or suspected security events through appropriate channels in a timely manner. This control establishes a 24/7/365 process combining automated technical detection with mandatory user-driven reporting. For Microsoft 365 environments, automated detection flows through Microsoft Sentinel aggregating alerts from Microsoft 365 Defender, Entra ID Protection, and Purview DLP.

Manual reporting uses the Outlook Report Message add-in for phishing, IT Helpdesk for critical incidents, and anonymous Microsoft Forms for sensitive concerns.

How to implement in Microsoft 365

Implement A.6.8 by deploying Microsoft Sentinel as the central SIEM with data connectors from Microsoft 365 Defender, Entra ID (sign-in and audit logs, identity protection), Purview DLP, and network devices (FortiGate via Syslog/CEF). Deploy the Report Message or Report Phishing add-in to all Outlook users per CIS M365 Section 4, enabling one-click phishing reporting that submits messages to Defender for analysis. Configure IT Helpdesk with a Security Incident category providing 24/7 access via portal or phone for critical events (lost devices, breaches).

Create an anonymous Microsoft Forms survey with Record name disabled, routed to CISO, and linked in the InfoSec Awareness Teams channel. Federate all sources into Sentinel for unified incident management.

What an auditor looks for

Auditors will verify that the Report Message add-in is deployed to users by checking Microsoft 365 service plans or user submission policy configuration in Defender for Office 365. They will confirm Microsoft Sentinel is active by reviewing workspace status and data connector configurations. Auditors will check that data connectors are enabled for Microsoft 365 Defender, Entra ID, and Purview.

They will verify the anonymous reporting form exists with anonymity correctly configured. Auditors will review helpdesk configuration to confirm a Security Incident category exists with appropriate priority and 24/7 availability.

M365 capabilities that implement this control

Microsoft Purview Insider Risk Management

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control