Implementing ISO 27001 Annex A 8.16 is a vital security process involving the active monitoring of networks, systems, and applications to identify irregularities. By establishing technical baselines and configuring real-time alerts, organizations can achieve rapid anomaly detection, ensuring that potential threats are identified and neutralized before they escalate into data breaches.
ISO 27001 Annex A Monitoring Activities Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.16. True monitoring is not about passive log collection; it is the active, configured observation of your infrastructure to detect anomalies before they become breaches.
1. Define the Monitoring Scope and Critical Assets
Control Requirement: Networks, systems, and applications must be monitored for anomalous behaviour.
Required Implementation Step: create a technical register of critical assets (e.g., Domain Controllers, SQL Databases, Firewall Edge) and explicitly define what constitutes “suspicious” for each. Do not simply “turn on logging” everywhere; select specific high-risk data flows to monitor to prevent alert fatigue.
Minimum Requirement: A documented list of high-value targets and the specific behaviours (e.g., outbound traffic > 1GB) that trigger an alert.
2. Establish Technical Baselines for Normal Behaviour
Control Requirement: Anomalies must be detected against a standard of normal operation.
Required Implementation Step: Run your monitoring tools in “learning mode” or manually analyse 30 days of traffic to establish baseline metrics for CPU usage, bandwidth consumption, and login frequency. Document these thresholds (e.g., “Finance server upload limit: 500MB/day”) in your configuration files.
Minimum Requirement: You cannot detect an anomaly if you have not technically defined “normal” traffic patterns.
3. Configure Egress Filtering and Traffic Analysis
Control Requirement: Monitor network traffic for potential data exfiltration or command-and-control communication.
Required Implementation Step: Configure your firewall or IDS/IPS to flag outbound connections to unknown IP addresses, non-standard ports, or Tor exit nodes. Specifically monitor for “beaconing” activity where internal servers ping external IPs at regular intervals.
Minimum Requirement: Alerts must trigger on unexpected outbound traffic from critical internal servers.
4. Implement Privileged Account Monitoring (PAM)
Control Requirement: Detect unauthorised or irregular use of administrative access.
Required Implementation Step: Set up specific alerts for any usage of “Domain Admin” or “Root” accounts outside of approved change control windows. Configure the SIEM to flag simultaneous logins from different geolocations or logins from non-management subnets.
Minimum Requirement: Immediate notification to the security team upon any use of emergency “break-glass” accounts.
5. Deploy Endpoint Detection and Response (EDR) Agents
Control Requirement: Monitor endpoints for malicious processes and malware.
Required Implementation Step: Install EDR agents on all servers and workstations. Configure policies to detect and isolate processes attempting to modify system files, inject code (DLL injection), or run PowerShell scripts with encoded commands.
Minimum Requirement: Use EDR, not just legacy Antivirus; signature-based detection is insufficient for modern monitoring.
6. Centralise Logs into a SIEM or Log Server
Control Requirement: Aggregate data to correlate events across different systems.
Required Implementation Step: Configure all network devices, servers, and critical applications to forward logs to a central, immutable repository (SIEM or dedicated Syslog server). Ensure the timestamp formats align (see Annex A 8.17) to allow for cross-system event correlation.
Minimum Requirement: Logs must not remain solely on the local device where they can be wiped by an attacker.
7. Configure “Scream” Alerts for High-Fidelity Indicators
Control Requirement: Ensure appropriate actions are taken when events occur.
Required Implementation Step: Configure your monitoring toolset to send immediate, high-priority notifications (SMS/PagerDuty) for specific “red flag” events: Failed Login Spikes (Brute Force), Malware Quarantine execution, and Privilege Escalation events.
Minimum Requirement: Differentiate between “info” logs (for later review) and “critical” alerts (requiring immediate human response).
8. Establish a Triage and Response Procedure
Control Requirement: Monitoring must lead to evaluation and action.
Required Implementation Step: Draft a specific “Runbook” for analysts that dictates exactly what to do when an alert fires (e.g., “If Brute Force alert > Isolate IP > Reset User Password”). Verify this process ensures a human actually eyes the screen when critical alerts trigger.
Minimum Requirement: A defined escalation path; alerts going to a shared inbox that nobody checks is a non-conformity.
9. Address Privacy and Legal Compliance (GDPR)
Control Requirement: Monitoring activities must comply with legal and privacy obligations.
Required Implementation Step: Update your Acceptable Use Policy (AUP) and Employee Privacy Notice to explicitly state that systems are monitored for security purposes. Ensure logs containing PII are access-controlled and retained only for the necessary period.
Minimum Requirement: Employees must be formally notified that their digital activity is subject to monitoring.
10. Review and Tune Monitoring Rules Regularly
Control Requirement: Continuous improvement of monitoring capabilities.
Required Implementation Step: Schedule a quarterly review of your alert rules. Identify the top 10 “noisy” alerts that generated false positives and tune the logic to suppress them. This prevents “alert fatigue” where analysts ignore real threats due to volume.
Minimum Requirement: Evidence of rule tuning/maintenance to prove the monitoring system is active and evolving.
ISO 27001 Annex A 8.16 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Define Monitoring Scope | GRC tool asks “Is monitoring enabled?” (Yes/No). | You clicked “Yes”, but you are only monitoring disk space, not security events. Hackers don’t care about your disk space. |
| Establish Baselines | Uploading a generic policy document stating “we monitor systems”. | Without technical baselines defined in the tool, you have no way of knowing that a 2GB midnight upload is an anomaly. |
| SIEM / Log Aggregation | “We have logs enabled on the server.” | If logs are local-only, the attacker deletes them after they break in. No centralisation means no evidence. |
| Alert Configuration | Using default “out of the box” alert settings. | Default settings create 10,000 emails a day. Your IT team creates an inbox rule to delete them unread. You are blind. |
| Privileged Monitoring | Listing Admins in a spreadsheet. | Real monitoring requires alerting when an Admin logs in at 3 AM on a Sunday. A spreadsheet doesn’t catch that. |
| Response Procedures | “We have an Incident Response Plan.” | The plan sits in a PDF. When the alert fires, the junior admin doesn’t know where the file is and panics. |
| Privacy Compliance | Ignoring the legal side entirely. | You successfully catch a malicious insider, but because you didn’t have a signed Privacy Notice, your evidence is inadmissible in court. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
