Skip to content
AuditFront
A.8.16 ISO 27001

ISO 27001 A.8.16: Monitoring activities

What This Control Requires

Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

In Plain Language

Logging (A.8.15) captures the raw data. This control - new in ISO 27001:2022 - is about actually watching that data in real time to spot attacks as they happen. The average breach goes undetected for months. Active monitoring is how you shrink that window from months to minutes. You need to detect both known threats (using signatures and rules) and novel ones (using anomaly detection and behavioural analysis). Sophisticated attackers specifically design their techniques to evade signature-based detection, so relying on signatures alone leaves you blind to lateral movement, slow data exfiltration, and insider threats. Monitoring should span your entire stack: network traffic, system behaviour, application logs, user activity patterns, and cloud service events. When something looks wrong, it needs to flow into your incident management process for investigation and response.

How to Implement

Deploy monitoring tools that match your environment. The key capabilities are: SIEM for log correlation and alerting, network detection and response (NDR) for traffic analysis, endpoint detection and response (EDR) for endpoint behaviour, user and entity behaviour analytics (UEBA) for anomaly detection, cloud security monitoring for cloud workloads, and application performance monitoring (APM) for application behaviour. Build detection use cases around your risk assessment and threat model. Focus on what actually matters: brute force attacks, privilege escalation attempts, lateral movement, data exfiltration indicators, command and control communications, unauthorised access to sensitive data, anomalous user behaviour, and unusual cloud resource provisioning. Create detection rules for each use case. Mix signature-based rules for known threats, threshold-based rules for volumetric indicators, and anomaly-based rules for behavioural deviations. Tune aggressively to reduce false positives without sacrificing detection. Integrate threat intelligence feeds to keep your rules current with evolving attack patterns. Set up monitoring operations. Define who watches the alerts and when. Critical environments need 24/7 coverage. Create triage procedures with clear response actions for different alert types. Build escalation paths for alerts that need senior analysis or full incident response. Track alert volumes, false positive rates, and mean time to investigate. Measure and improve continuously. Track detection coverage (map against MITRE ATT&CK to see your blind spots), mean time to detect (MTTD), mean time to respond (MTTR), and false positive rates. Use red team exercises and penetration tests to validate your detection capabilities. Review and tune detection rules regularly.

Evidence Your Auditor Will Request

  • Monitoring strategy and tool deployment documentation
  • Detection use cases and alert rule documentation
  • SIEM alert triage and investigation records
  • Monitoring operations procedures including escalation paths
  • Monitoring effectiveness metrics and improvement records

Common Mistakes

  • Monitoring relies solely on signature-based detection without behavioral analysis
  • Alert fatigue leads to alerts being ignored or inadequately investigated
  • No 24/7 monitoring for internet-facing or critical systems
  • Monitoring coverage has gaps in cloud environments or specific system types
  • Detection rules are not updated to reflect current threat patterns

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC7.2 Equivalent
SOC 2 CC7.3 Related
NIS2 Art.21(2)(b) Equivalent

Frequently Asked Questions

Is this control new in ISO 27001:2022?
Yes, one of the 11 new controls. The 2013 version implicitly expected monitoring through other controls, but the 2022 revision makes proactive security monitoring and anomaly detection an explicit requirement. This reflects the reality that modern threats need active detection - you cannot just collect logs and hope for the best.
Do we need 24/7 monitoring?
It depends on your risk profile. If you have internet-facing systems, critical business applications, or sensitive data, 24/7 coverage is strongly recommended - attackers do not work business hours. If building an internal SOC is not feasible, a managed detection and response (MDR) service can fill the gap at a fraction of the cost. At the very least, make sure critical alerts trigger out-of-hours notifications to on-call staff so nothing sits until Monday morning.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment