How does Annex A 8.16 differ from logging?

Logging is the passive collection of data. Monitoring is the active review of that data against baselines. You must prove that logs are actually examined. Use Jira tickets to document the investigation of specific alerts. This proves the process is active.

Why avoid SaaS tools for monitoring compliance?

SaaS platforms often provide a false sense of security. They show green ticks but hide unreviewed alerts. Auditors prefer seeing evidence in your native repositories. SharePoint and Jira prove your team actively manages the system. Black box tools decouple security from daily work.

ISO 27001:2022 Annex A 8.16 Guide

Q: What are monitoring activities in ISO 27001?

Monitoring activities involve the continuous observation of systems to detect security anomalies. This process must be documented within your organisational tools. It ensures that security events are identified and handled promptly. Genuine monitoring requires manual oversight and documented review cycles.

What is ISO 27001:2022 Annex A 8.16 Monitoring activities in ISO 27001?

Annex A 8.16 is a documented process for observing system behaviour. It identifies security anomalies through active review. Organisations must integrate this into daily operations using SharePoint or Jira. This ensures that technical teams manage security events within their standard environment. It excludes reliance on unverified external dashboards.

Auditor’s Eye: The Shortcut Trap

Many firms use SaaS compliance tools to manage monitoring. These tools provide green ticks for logs they never actually read. Auditors find this approach insufficient. We want to see your Jira history. We check for tickets raised from system alerts. If your logs are in a black box: you lack management ownership. We prefer evidence in your organisational repositories. This proves your staff understand and own the monitoring process. Automated shortcuts often lead to major non-conformities.

ISO 27001:2013 Control	ISO 27001:2022 Control	Nature of Change
A.12.4.1, A.12.4.3	Annex A 8.16	Controls merged. Shift from passive logging to active monitoring and observation.

How to Implement ISO 27001:2022 Annex A 8.16 (Step-by-Step)

The core requirement is establishing an active review cycle. You must use existing organisational tools to build an audit trail. This ensures monitoring becomes a standard habit for your team. Follow these steps for integration.

Identify systems that require active monitoring in a SharePoint register.
Define normal behaviour baselines for these systems in Confluence.
Set specific alert thresholds for suspicious activities.
Configure Jira to receive alerts as actionable tasks.
Assign a technical owner to review every Jira alert.
Document the investigation outcome within the ticket comments.
Log monthly summary reviews in version-controlled SharePoint meeting minutes.

ISO 27001:2022 Annex A 8.16 Audit Evidence Checklist

Auditors look for manual records and internal document versions. These prove human oversight and intent. Maintain your evidence in repositories your team uses daily.

Monitoring policy with clear SharePoint version history.
Jira history showing the full investigation of security alerts.
Confluence pages detailing current system baselines.
Meeting minutes proving management reviewed monitoring logs.
Records of actions taken when thresholds were exceeded.

Relational Mapping

Annex A 8.16 connects to several other ISO 27001 controls. It relies on Annex A 8.15 for log generation. It feeds directly into Annex A 5.24 for incident management. Clause 8.1 provides the operational framework for these reviews. All documentation should link within your central DBMS.

Auditor Interview

Auditor: How do you know if an unauthorised user is in your system?

Manager: We have active alerts for anomalous logins. These trigger a Jira ticket for our IT lead.

Auditor: Where is the proof of your last log review?

Manager: You can see the signed minutes in our SharePoint repository. We reviewed the October logs on the fifth of November.

Common Non-Conformities

Failure Mode	Description	Corrective Action
Automated Complacency	Relying on a SaaS platform tick without local evidence.	Move log review records to SharePoint and Jira.
Alert Fatigue	Ignoring system alerts because they are too frequent.	Tuning baselines in Confluence and documenting changes.
No Evidence of Review	Collecting logs but never documenting their examination.	Implement mandatory monthly review minutes in SharePoint.

Frequently Asked Questions

What are monitoring activities in ISO 27001?

The Bottom Line Up Front: Monitoring activities are the active observation of systems for security anomalies. You must document this process in SharePoint or Jira. It ensures your organisation detects threats promptly. This process requires human oversight: not just automated collection.

How do I prove log reviews to an auditor?

The Bottom Line Up Front: Provide dated meeting minutes from your internal repositories. These minutes must confirm that staff examined security logs. Link these reviews to Jira tickets for any anomalies found. This proves an active and managed security cycle.

Can I use an external SIEM for compliance?

The Bottom Line Up Front: You can use a SIEM for data collection. However: the review process must be internal. Store your review records in your own SharePoint. Do not rely on the SIEM dashboard for audit evidence. Ownership stays with your management team.

LA CASA DE CERTIFICACIÓN