In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.16 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 8.16 Monitoring Activities
ISO 27001 Annex A 8.16 mandates that organizations monitor their networks, systems, and applications for “anomalous behavior.” Unlike passive logging, monitoring is an active process designed to detect potential security incidents in real-time. The goal is to catch unauthorized actions or system failures before they result in a full-scale data breach.
Core requirements for compliance include:
- Continuous Visibility: You must implement tools that provide ongoing visibility into your IT environment (e.g., SIEM, NIDS/HIDS, or cloud-native monitors like Azure Sentinel or AWS CloudWatch).
- Define “Normal”: To find an anomaly, you must first know what “normal” looks like. You must establish baselines for system performance and user activity so that spikes or unusual logins stand out.
- Alerting & Response: Monitoring is useless if no one sees the alerts. You need a process for notifying the right people when a threshold is crossed and a documented way to investigate those alerts.
- Privacy Compliance: Monitoring often involves looking at user data. You must ensure your monitoring activities comply with data protection laws (like GDPR) and are clearly stated in your employee privacy notices.
Audit Focus: Auditors will look for Actionable Analysis:
- The Trigger: “Show me the alert that fired during your last security test.”
- The Response: “Who investigated that alert? What was the outcome?”
- The Balance: They check that you aren’t logging everything (which causes alert fatigue) but rather focusing on high-risk triggers.
Key Monitoring Triggers (Audit Cheat Sheet):
| Event Type | Priority | Why Monitor? |
|---|---|---|
| Failed Logins | High | Indicator of a Brute Force attack. |
| Privilege Escalation | Critical | A standard user suddenly gaining Admin rights. |
| Malware Detection | Critical | Proves your Antivirus is actually stopping threats. |
| After-Hours Access | Medium | Login at 3:00 AM from a remote IP (potential compromised account). |
| Data Outflow Spikes | High | Massive data transfer to an external IP (indicator of Data Exfiltration). |
Table of contents
- Key Takeaways: ISO 27001 Annex A 8.16 Monitoring Activities
- What is ISO 27001 Annex A 8.16?
- ISO 27001 Annex A 8.16 Free Training Video
- ISO 27001 Annex A 8.16 Explainer Video
- ISO 27001 Annex A 8.16 Podcast
- ISO 27001 Annex A 8.16 Implementation Guidance
- How to implement ISO 27001 Annex A 8.16
- Key Monitoring Triggers
- How to comply
- What will an auditor check?
- Top 3 ISO 27001 Annex A 8.16 mistakes and how to avoid them
- Fast Track Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 8.16 FAQ
- Related ISO 27001 Controls
- Further Reading
What is ISO 27001 Annex A 8.16?
ISO 27001 Annex A 8.16 is about monitoring which means you must implement monitors to aid with incident response and investigations.
ISO 27001 Annex A 8.16 Monitoring is an ISO 27001 control that requires to check for inappropriate actions on networks, systems, applications and premises. It is about checking before the bad things happen to try to catch them.
ISO 27001 Annex A 8.16 Purpose
ISO 27001 Annex A 8.16 is a detective control and corrective control to detect anomalous behaviour and potential information security incidents..
ISO 27001 Annex A 8.16 Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.16 as:
Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
ISO27001:2022 Annex A 8.16 Monitoring
ISO 27001 Annex A 8.16 Free Training Video
In the video ISO 27001 Monitoring Activities Explained – ISO27001:2022 Annex A 8.16 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 8.16 Explainer Video
In this beginner’s guide to ISO 27001 Annex A 8.16 Monitoring Activities, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.
ISO 27001 Annex A 8.16 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Annex A 8.16 Monitoring Activities. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 8.16 Implementation Guidance
Identify Requirements
Identify what requirements you have for monitoring so that you can understand what you need to implement.
This is going to be based on the risk assessments that you have conduct and the needs of the business and your clients.
Consider that we use monitoring to catch things either before or as they are happening and to support investigations if things do happen.
ISO 27001 Logging and Monitoring Policy Template
You will have a topic specific policy, the ISO 27001 Logging and Monitoring Policy that sets out what you do for logging and monitoring.
Monitoring Records
As with all logs and data you will need to define a data retention schedule for your monitoring records and put in place appropriate safeguards, protections and information security controls, as with any other data.
What to monitor
What you monitor is down to you and your identification of requirements but the standard provides some guidance on typical things that can be monitored being:
- Traffic that is inbound and outbound
- Access to resources
- Critical configuration files
- Security Tools Logs
- Event Logs
- Use of resource
Anomalous behaviour
Our monitoring is looking for behaviour outside the norm. Examples include:
- Processes or applications that just stop, or restart
- Malware traffic
- Unusual system behaviour
- Bottlenecks or spikes in resource usage
- Unauthorised scans of systems and networks
- Access attempts on restricted resources
Ensure You Meet the Law
Monitoring is potentially dangerous when it comes to law and regulation, in that it can contain information and data protected by data protection laws and others. It is important to ensure that what you have and what you do complies. This is includes all steps of the process and lifecycle. It is recommended to get the advice of legal and data protection professionals in terms of your particular deployment.
Monitoring Tools
The use of monitoring tools is clearly recommended. Some of these are built into to systems and operating systems and some are off the shelf, dedicated solutions. It maybe that you have a hybrid of tools. They need to be able to handle large volumes of information and include real time notifications. Alerts should be configured and implemented and set against pre defined thresholds.
Monitoring is usually done be specialist software with examples being Host Intrusion Detection Systems (HIDS) or Network Intrusion Detection Systems (NIDS).
Staff
Staff will be trained to be able to use tools and interpret the information and appropriately respond. This can include the management of false positives, which do happen.
Continuous Monitoring
The standard advocates for continuous monitoring, in real time or at periodic intervals.
How to implement ISO 27001 Annex A 8.16
Establishing a robust monitoring framework is essential for detecting security anomalies, verifying system performance, and ensuring the continuous integrity of information assets. By following these technical implementation steps, your organisation can align with ISO 27001 Annex A 8.16 requirements to create a proactive and auditable security posture.
1. Formalise a Monitoring Strategy and Rules of Engagement
- Document a formal monitoring policy that defines the scope of activities, including system logs, user access patterns, and network traffic anomalies.
- Establish a Rules of Engagement (ROE) document that outlines the legal and privacy boundaries for monitoring employee activities to ensure compliance with the UK GDPR.
- Result: A legally sound governance framework that dictates exactly what, when, and how systems are monitored within the organisation.
2. Provision a Centralised SIEM and Logging Infrastructure
- Deploy a centralised Security Information and Event Management (SIEM) platform to aggregate logs from applications, servers, and network devices.
- Configure log ingestion pipelines to capture critical events, such as failed authentication attempts, privilege elevations, and changes to system configurations.
- Result: A unified “single pane of glass” view that enables the correlation of disparate events to identify complex multi-stage attacks.
3. Restrict Log Access via Granular IAM Roles and MFA
- Implement the Principle of Least Privilege by assigning specific Identity and Access Management (IAM) roles to security analysts and system auditors.
- Mandate Multi-Factor Authentication (MFA) for accessing monitoring consoles and log repositories to prevent unauthorised tampering or deletion of evidence.
- Result: Assurance that log data remains immutable and accessible only to verified personnel, maintaining the integrity of the audit trail.
4. Execute Real-Time Alerting and Baseline Configuration
- Establish baseline “normal” activity patterns for network traffic and system performance to facilitate the detection of statistically significant deviations.
- Provision automated alerting rules within the SIEM to notify the Security Operations Centre (SOC) immediately upon the detection of high-risk indicators of compromise (IoCs).
- Result: Reduced Mean Time to Detect (MTTD) by ensuring that critical security incidents are flagged for human review in real time.
5. Implement Cryptographic Hashing for Log Integrity
- Utilise cryptographic hashing (e.g. SHA-256) and digital signatures on log files to detect any unauthorised modifications at rest.
- Store logs on write-once-read-many (WORM) storage media or in an isolated “Security Account” in the cloud to prevent log wiping by advanced persistent threats.
- Result: A forensically sound record of system activities that remains admissible in legal proceedings or regulatory audits.
6. Perform Periodic Monitoring Reviews and Capability Audits
- Conduct quarterly technical reviews of monitoring rules and alert thresholds to ensure they remain effective against evolving threat landscapes.
- Revoke or update monitoring access for personnel whose roles have changed, ensuring that the “four-eyes” principle is maintained for sensitive data access.
- Result: A dynamic monitoring environment that evolves alongside organisational changes and new security vulnerabilities.
Key Monitoring Triggers
| Event Type | Priority | Why Monitor? |
| Failed Logins | High | Brute force attack indicator. |
| Privilege Escalation | Critical | User suddenly becoming Admin. |
| Malware Detection | Critical | Anti-virus actually catching something. |
| After-Hours Access | Medium | Login at 3 AM (could be compromised account). |
How to comply
To comply with ISO 27001 Annex A 8.16 you are going to implement the ‘how’ to the ‘what’ the control is expecting.
In short measure you are going to:
- Understand and record the legal, regulatory and contractual requirements you have for data
- Conduct a risk assessment
- Based on the legal, regulatory, contractual requirements and the risk assessment you will implement a monitoring solution
- Implement a topic specific policy, the ISO 27001 Logging and Monitoring Policy
- Document and implement your processes and technical implementations for monitoring
- Check that the controls are working by conducting internal audits
What will an auditor check?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have documentation
What this means is that you need to show that you have documented your legal, regulatory and contractual requirements for information and that you have taken this into account when building your monitoring solution. Where data protection laws exist that you have documented what those laws are and what those requirements are. That you have an information classification scheme and a topic specific policy for access control and that you have documented your monitoring taking all of this into account.
2. That you have have implemented monitoring appropriately
They will look at systems to seek evidence of monitoring. They want to see evidence of monitoring and the process in operation that includes the analysis of the monitoring data and what you do as a result of that analysis. In addition the use of cloud services and the cloud providers monitoring and monitoring capabilities will be reviewed.
3. That you have conducted internal audits
The audit will want to see that you have tested the controls and evidenced that they are operating. This is usually in the form of the required internal audits. They will check the records and outputs of those internal audits.
Top 3 ISO 27001 Annex A 8.16 mistakes and how to avoid them
In my experience, the top 3 mistakes people make for ISO 27001 Annex A 8.16 monitoring are
1. You collect too much
Collecting too much data and logging everything is a common mistake we see. That in conjunction with storing all logs for ever. It is easy to be overwhelmed with information so it is important to work out what you are going to log and why. Then to be sure that the information is valuable, can be analysed and that analysis is actionable.
2. You don’t know your legal obligations
This is a massive mistake that we see, where people assume ISO 27001 is just information security and forget that it also checks that appropriate laws are being followed, and in particular data protection laws. Cost saving by not having a data protection expert or ignoring data protection law entirely is a common mistake we see people make when cutting corners and saving costs. Monitoring and in particular personal information, can get you in a lot of hot water depending how you implement it.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Fast Track Compliance with the ISO 27001 Toolkit
Own Your ISMS, Don’t Rent It
Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit
For ISO 27001 Annex A 8.16 (Monitoring activities), the requirement is to monitor systems for anomalous behavior and evaluate the results of that monitoring. This is a complex detective control that involves logs, alerts, and human review.
Many organizations are misled into thinking they need a compliance SaaS platform to “do” the monitoring for them. However, a SaaS platform is not a SIEM (Security Information and Event Management) tool; it is merely a place to store documentation. The High Table ISO 27001 Toolkit provides the logical, time-saving solution by delivering the governance framework you need to manage your actual monitoring tools effectively.
Here is why the Toolkit is the smarter choice for complying with Annex A 8.16:
1. Ownership: You Own Your Monitoring Governance Forever
SaaS platforms act as a vault for your compliance evidence. If you stop paying the monthly fee, you lose access to the policies and logs that prove you’ve been monitoring your systems.
- The Toolkit Advantage: You receive the Logging and Monitoring Policy and Monitoring Review Logs in Word and Excel. These are yours forever. You own the governance that defines what you monitor and how you respond to alerts, ensuring you are audit-ready without being held to a “subscription ransom.”
2. Simplicity: Use the Tools You Already Have
Annex A 8.16 requires you to monitor your specific environment (Azure, AWS, Google Cloud, or on-premise). You don’t need a complex SaaS interface to tell you what your cloud logs already show.
- The Toolkit Advantage: Your technical team is already using cloud-native monitoring (like AWS CloudWatch or Azure Monitor). The Toolkit provides the Monitoring Procedures and Review Checklists to formalize these activities. It bridges the gap between technical data and auditor requirements without forcing your team to learn a new, proprietary software platform.
3. Cost: A One-Off Fee vs. Expensive “Per-Log” Subscriptions
Many compliance SaaS platforms charge more as your volume of data or number of monitored systems increases. For a control centered on logs and events, these costs can spiral.
- The Toolkit Advantage: You pay a single, one-off fee. Whether you are monitoring one server or an entire global infrastructure, the cost of your Monitoring Governance Documentation remains the same. You save your budget for the actual security tools (like a SIEM) rather than a platform to host the paperwork.
4. Freedom: No Vendor Lock-In for Your Security Stack
SaaS platforms often only integrate with a limited number of “approved” security tools. If you want to change your monitoring provider or use a custom solution, the SaaS tool can become a barrier to security innovation.
- The Toolkit Advantage: The High Table Toolkit is technology-agnostic. You can edit the Logging and Monitoring Framework to reflect any toolset you choose. You maintain the freedom to evolve your security stack without having to reconfigure a rigid compliance platform.
Summary: For Annex A 8.16, the auditor wants to see that you have a strategy for monitoring and that you are reviewing the results. The High Table ISO 27001 Toolkit provides the governance structure to satisfy this requirement immediately. It is the most direct, cost-effective way to prove you are in control of your system monitoring with permanent documentation that you own and manage.
ISO 27001 Annex A 8.16 FAQ
What is ISO 27001 Annex A 8.16 and why is it critical?
ISO 27001 Annex A 8.16 is a detective control requiring organizations to monitor networks, systems, and applications for anomalous behavior to prevent or detect security incidents.
Think of it like the dashboard in a car versus a “black box” flight recorder. While a black box records data for later analysis (Logging), the dashboard tells you right now if the engine is overheating or you are running out of fuel (Monitoring). Annex A 8.16 is your security dashboard, alerting you to active threats so you can respond before damage occurs.
- Purpose: To detect active threats and unauthorized behavior in real-time.
- Key Function: Distinguishing between normal business operations and potential security events.
- Outcome: Enables rapid incident response and minimizes data breach impact.
What is the difference between Logging (8.15) and Monitoring (8.16)?
Logging is the passive collection of data, while Monitoring is the active review and analysis of that data.
Many organizations confuse these two controls. You cannot have effective monitoring without logging, but you can have logging without monitoring (which is useless for immediate defense).
- Annex A 8.15 (Logging): Records history. Example: A security camera recording to a hard drive in a basement.
- Annex A 8.16 (Monitoring): Analyzes the present. Example: A security guard watching the live camera feed to spot an intruder.
What specific events or activities should we actually monitor?
You should monitor high-risk activities that deviate from your established baselines, focusing on the “Red Flags” of digital security.
It is impossible and counter-productive to monitor everything. Focus your alerts on indicators of compromise (IoCs) and critical system health metrics.
- Inbound/Outbound Traffic: Large data transfers (potential exfiltration) or connections to known malicious IP addresses.
- Access Control: Failed login attempts, after-hours access, or access to sensitive files by unauthorized personnel.
- System Integrity: Unexpected modification of critical configuration files or installation of unauthorized software.
- Resource Usage: Sudden spikes in CPU or memory usage that could indicate malware or crypto-jacking.
Do we need expensive SIEM tools to comply with Annex A 8.16?
No, ISO 27001 does not mandate specific expensive tools; it mandates effective processes suitable for your risk level.
While a Security Information and Event Management (SIEM) tool is excellent for large enterprises, smaller organizations can achieve compliance using built-in cloud tools (like AWS CloudWatch or Azure Monitor) or open-source solutions, provided the review process is rigorous.
- Small Business: Native logs from firewalls/antivirus + daily manual review + automated email alerts for critical errors.
- Enterprise: Centralized SIEM with automated correlation, machine learning, and 24/7 SOC monitoring.
- Key Requirement: Proof that alerts are generated, reviewed, and acted upon.
What will an ISO 27001 Auditor look for regarding monitoring?
Auditors will look for evidence of “Actionable Analysis”—they want to see that you actually noticed and responded to an alert.
Having terabytes of logs is irrelevant if nobody looks at them. The auditor will ask for a “paper trail” from trigger to resolution.
- The Trigger: Can you show an alert that fired in the last 3 months?
- The Response: Is there a ticket or log entry showing who investigated it and what they did?
- The Tuning: Have you adjusted your thresholds to reduce false positives?
What are the most common mistakes organizations make with Annex A 8.16?
The most common mistake is “Alert Fatigue”—turning on every possible notification until the security team ignores them all.
- Collecting Too Much: Logging everything without filters creates noise that hides real threats.
- No Baselines: Failing to define what “normal” looks like makes it impossible to spot “abnormal.”
- Ignoring Legal Obligations: Monitoring employees too aggressively without proper privacy notices (violating GDPR or local labor laws).
Who is responsible for the Monitoring Activities control?
Ownership typically lies with the Head of IT or the Security Operations Center (SOC) team, but the responsibility is shared.
- System Administrators: Responsible for configuring the tools to generate the right logs.
- Security Analysts: Responsible for interpreting the alerts and investigating anomalies.
- Management: Responsible for defining the risk appetite (e.g., “We need to know immediately if X happens”).
Related ISO 27001 Controls
ISO 27001 Annex A 8.15 Logging
ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
Further Reading
Business Continuity Incident Action Log Template
ISO 27001 Logging and Monitoring Policy Beginner’s Guide
ISO 27001 Incident and Corrective Action Log Template
