How to Implement ISO 27001:2022 Annex A 8.16: Monitoring Activities

/ By
How to Implement ISO 27001 Annex A 8.16

Security is not a “set it and forget it” exercise. You can build the highest walls and the strongest gates, but if you don’t have a security guard watching the cameras, you won’t know someone has climbed over until it’s too late. This is the core principle behind ISO 27001:2022 Annex A 8.16.

While Annex A 8.15 (Logging) is about writing things down, Annex A 8.16 (Monitoring) is about reading them. It requires you to actively observe your networks, systems, and applications to detect anomalous behavior and potential security incidents before they cause irreversible damage.

Table of contents

What is Annex A 8.16?

The control is defined simply: networks, systems, and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.

In conversational terms, this is your digital burglar alarm. It is a detective control designed to spot the difference between “business as usual” and “something is wrong.” Whether it’s a hacker trying to brute-force a password or an employee accidentally deleting a critical file, monitoring is the mechanism that alerts you to the problem.

Step 1: Define Your Scope (What to Monitor)

You cannot monitor everything; trying to do so will only create “alert fatigue,” where your team ignores warnings because there are simply too many of them. To implement this control effectively, you need to identify the critical assets and behaviors that pose the highest risk.

Start by asking yourself what activity would look suspicious in your specific environment. Common areas to monitor include:

  • Inbound and Outbound Traffic: Are huge files leaving your network at 3 AM? Is a server communicating with a known malicious IP address?
  • Access to Critical Data: Who is accessing your most sensitive customer databases? Is someone accessing files they don’t normally touch?
  • Privileged Account Activity: “Super-user” or admin accounts hold the keys to the kingdom. Any activity by these accounts should be closely watched.
  • System Resources: A sudden spike in CPU usage on a server could indicate malware (like crypto-mining software) or a Denial of Service (DoS) attack.

Step 2: Establish a Baseline

To spot “anomalous” behavior, you first need to understand “normal” behavior. This is called establishing a baseline.

For example, if your marketing team usually uploads 5GB of video files to the server every Friday, that is normal. If the finance team, who usually deals with small spreadsheets, suddenly uploads 5GB of data on a Tuesday, that is an anomaly.

Without a baseline, your monitoring tools are flying blind. You should document what normal traffic, login times, and resource usage look like for different roles and systems within your organisation.

Step 3: Select Your Tools

For small businesses, monitoring might be as simple as reviewing server logs and firewall reports weekly. However, for most organisations seeking ISO 27001 certification, manual review is impossible due to the sheer volume of data.

You will likely need automated tools such as:

  • SIEM (Security Information and Event Management): These tools aggregate logs from various sources and look for patterns.
  • IDS/IPS (Intrusion Detection/Prevention Systems): These monitor network traffic for known attack signatures.
  • Endpoint Detection and Response (EDR): Software installed on laptops and servers to spot malicious processes.

If you are unsure where to start with documentation or tool selection, resources like Hightable.io offer toolkits that can provide policies and templates to structure your monitoring strategy effectively.

Step 4: Configure Alerts and Triggers

Once your tools are in place, you need to tell them when to scream. You should configure alerts based on the risks you identified in Step 1. Typical triggers include:

  • Failed Login Attempts: Multiple failures in a short time could indicate a brute-force attack.
  • Malware Detection: If your antivirus quarantines a file, you need to know immediately to check if it spread.
  • After-Hours Access: A login from the office IP address when the office is closed might be a physical security breach or a compromised machine.
  • Privilege Escalation: If a standard user is suddenly added to the “Domain Admins” group, this is a critical red flag.

Step 5: The Human Element (Review and Action)

The control isn’t just about having software; it’s about taking “appropriate actions.” A dashboard flashing red is useless if nobody looks at it.

You must establish a process for who reviews these alerts and how they respond. This links directly to your Incident Management process. If an alert is triggered:

  1. Triage: Is this a false positive or a real threat?
  2. Investigate: Look at the logs (Annex A 8.15) to see what happened.
  3. Respond: Block the user, isolate the machine, or reset passwords as required.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

A common pitfall in implementing Annex A 8.16 is ignoring the legal side. Monitoring often involves processing personal data (e.g., tracking what websites employees visit or reading their emails).

You must ensure your monitoring activities comply with local data protection laws (like GDPR). Employees should be informed that they are being monitored, typically through an Acceptable Use Policy or an Employee Privacy Notice. Transparency is key to staying legal.

Common Mistakes to Avoid

  • Collecting Too Much Data: If you log everything, you will find nothing. Focus on high-value data.
  • Set and Forget: Threat landscapes change. Review your monitoring rules and baselines regularly (at least annually).
  • Ignoring Cloud Services: Don’t forget to monitor your SaaS platforms (like Microsoft 365 or AWS). They are just as critical as your on-premise servers.

Conclusion

Implementing ISO 27001 Annex A 8.16 is about moving from a passive security stance to an active one. By defining what is normal, deploying the right tools, and having a human process to react to alerts, you turn the lights on in your IT environment. This not only satisfies the auditor but genuinely hardens your organisation against attacks.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Stuart Barker - High Table - ISO27001 Director
Stuart Barker, an ISO 27001 expert and thought leader, is the author of this content.
Shopping Basket
Scroll to Top