ISO 27001:2022 Annex A 8.16: Monitoring Activities Explained
If logging is the memory of your Information Security Management System (ISMS), monitoring is its eyes. In the 2022 update of ISO 27001, Annex A 8.16 (Monitoring Activities) takes centre stage as a critical control for identifying security threats before they become full-blown disasters. It replaces and expands upon the older requirements, emphasising not just the collection of data, but the active analysis of it.
Many organisations confuse this with simple logging (Annex A 8.15), but there is a distinct difference. Logging is about keeping a record; monitoring is about watching that record in real-time (or near real-time) to spot things that look wrong. It is the difference between recording CCTV footage to a hard drive and having a security guard actually watching the screens.
Table of contents
What is ISO 27001 Annex A 8.16?
Annex A 8.16 is defined as a detective and corrective control. Its primary purpose is to detect anomalous behaviour in networks, systems, and applications to evaluate potential information security incidents. The standard effectively asks you to implement a system where you are constantly checking for inappropriate actions or irregularities.
This control acknowledges that prevention controls (like firewalls and passwords) are not foolproof. Eventually, something might get through, or an insider might misuse their access. Monitoring ensures you are alerted when that happens.
The Core Concept: Anomalous Behaviour
To comply with this control, you need to understand what “anomalous” means for your specific environment. You cannot detect what is abnormal if you haven’t defined what is normal.
This requires establishing a baseline. For example:
- Normal: A marketing employee logs in between 8 AM and 6 PM from the London office.
- Anomalous: That same employee logs in at 3 AM from a server in North Korea.
Without a baseline, the second event is just data. With a baseline, it is a security alert.
What Should You Monitor?
While the standard leaves the specific scope up to your risk assessment, effective implementation usually covers four key areas:
1. Network Traffic
You should monitor inbound and outbound traffic. Look for unexpected spikes in data transfer (which could indicate data exfiltration), traffic to known malicious IP addresses, or connections on unusual ports.
2. Systems and Servers
Monitor the health and activity of your critical infrastructure. This includes CPU and memory usageāa sudden spike in processor usage on a file server could indicate a ransomware attack encrypting files in the background.
3. Application Logs
Your applications often hold the most valuable data. Monitoring here involves looking for failed login attempts, unauthorised access to sensitive records, or changes to critical configuration files.
4. User Behaviour
This is increasingly important. User Behaviour Analytics (UBA) helps spot when a legitimate user account is acting suspiciously, which is often the only way to catch compromised credentials or insider threats.
Tools and Technology
Implementing this manually is impossible for most businesses. You will likely need to rely on automated tools. A SIEM (Security Information and Event Management) system is the gold standard here. It aggregates logs from various sources (firewalls, PCs, servers) and uses logic to alert you only when specific criteria are met.
Other common tools include:
- IDS (Intrusion Detection Systems): specifically designed to spot malicious traffic patterns.
- EDR (Endpoint Detection and Response): monitors individual computers for suspicious processes or malware.
Legal and Privacy Considerations
It is vital to balance security monitoring with privacy laws (like GDPR). You are effectively watching your employees. You must ensure that:
- Your staff are aware they are being monitored (usually via an Acceptable Use Policy).
- You are only collecting data that is necessary for security.
- The monitoring logs themselves are secured and access is restricted.
For a broader view of how these controls fit together, ISO27001.com offers excellent resources on the full list of Annex A controls.
Common Pitfalls
Alert Fatigue: The biggest risk in implementation is configuring your tools to alert on everything. If your IT team receives 500 emails a day saying “High CPU Usage,” they will stop reading them. You must tune your monitoring to only flag actionable intelligence.
ignoring the Human Element: Tools can generate alerts, but humans must investigate them. A dashboard that is all red but never looked at provides no security value.
Conclusion
ISO 27001 Annex A 8.16 is about situational awareness. It moves your security posture from passive defence to active engagement. By establishing a solid baseline of normal activity and deploying the right tools to spot deviations, you ensure that when a breach attempts to happen, you are the first to know, not the last.
