Requirement
Requirement lens
This control asks whether networks, systems, and applications are monitored for anomalous behaviour and whether potential incidents are evaluated and acted on.
“Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.”
Plain-language meaning
The organization should actively watch important technology environments for signs that something abnormal or suspicious is happening. Monitoring should help detect possible attacks, misuse, compromise, lateral movement, service abuse, and unusual system behaviour early enough for people to investigate and respond.
This is not the same as simply collecting logs. A.8.15 Logging is about producing, storing, protecting, and analysing log records. A.8.16 is about turning available signals into risk-based detection, alerting, triage, escalation, and incident evaluation.
Why this matters
Attackers rarely announce themselves clearly. They create patterns: failed logons, unexpected successful logons, unusual data transfers, privilege changes, endpoint alerts, strange process behaviour, new connections, or activity outside normal hours.
Monitoring helps the organization detect those patterns before they become major incidents. Poor monitoring creates blind spots. Excessive noisy monitoring creates alert fatigue, where real attacks are missed because the team is overwhelmed.
Implementation guidance
Implementer focus
Start with risk and detection use cases, not with a tool feature list. A SIEM, IDS, or IPS is only useful when it monitors the right sources, with tuned rules, clear thresholds, and a response path.
1. Define what must be monitored
Identify monitoring scope from Risk Assessment, asset criticality, business impact, interested-party requirements, and the Statement of Applicability. Typical scope includes:
- networks and internet-facing services;
- identity systems and privileged access paths;
- endpoint and server security events;
- cloud control planes and SaaS administration;
- business-critical applications and databases;
- security tools such as EDR, IDS, IPS, WAF, and DLP;
- backup, logging, and monitoring infrastructure itself.
2. Convert risks into detection use cases
Each significant threat scenario should lead to one or more detection use cases.
| Risk scenario | Example monitoring use case |
|---|---|
| Credential attack | Many failed logons followed by success from the same source |
| Lateral movement | Authentication from unusual hosts or service accounts |
| Privilege misuse | Admin action outside approved window or change ticket |
| Data exfiltration | Unusual volume or destination for sensitive data transfer |
| Malware activity | Endpoint alert combined with suspicious network connection |
| Cloud compromise | New access key, policy change, or admin login from unusual location |
3. Map use cases to data sources
For each detection use case, identify the log, alert, telemetry, or sensor source that can prove it. Do not assume a monitoring tool covers everything. Some systems may not generate the needed telemetry, may require configuration changes, or may need indirect detection through network, identity, or application logs.
4. Tune rules and thresholds
Monitoring should use thresholds that reflect risk appetite and operational context. One failed login may be normal. Ten failed logins in five seconds followed by a success from the same source is more suspicious.
Thresholds should be reviewed after false positives, missed detections, incidents, system changes, and threat intelligence updates.
5. Define triage, escalation, and out-of-hours response
Monitoring only works if alerts lead somewhere. Define:
- who reviews alerts;
- how potential incidents are assessed;
- when events become incidents under A.5.25 Assessment and Decision on Information Security Events;
- how response starts under A.5.26 Response to Information Security Incidents;
- who is contacted outside working hours;
- how evidence is preserved under A.5.28 Collection of Evidence.
6. Review effectiveness
Monitor the monitoring process itself. Track alert volume, false positives, missed detections, stale rules, source coverage, escalation time, and lessons learned from incidents.
Audit guidance
Auditor focus
Trace monitoring from risk to alert: risk scenario -> event to detect -> configured rule -> data source -> triage record -> incident or closure decision.
Auditors should verify:
- monitoring scope is based on risk and critical assets;
- detection use cases are defined for relevant threats;
- alerts are traceable to configured rules and data sources;
- monitoring covers required networks, systems, applications, cloud services, and security tools;
- blind spots are known, justified, and risk-treated;
- thresholds are tuned and reviewed;
- alerts are triaged and escalated consistently;
- detected incidents are handled through the incident management process;
- alert fatigue is monitored and managed;
- out-of-hours alert handling is defined and tested where relevant;
- monitoring performance is reviewed and improved.
Auditors should sample detected alerts and ask what happened next. A closed alert should have a reason. A true positive should link to an event decision, incident response record, corrective action, or lessons learned.
Evidence examples
Evidence quality
Strong evidence proves that monitoring is risk-based, technically configured, operationally reviewed, and connected to incident evaluation.
| Evidence | What it proves |
|---|---|
| Monitoring strategy or standard | Monitoring requirements and scope are defined |
| Detection use case register | Risks have been translated into alert logic |
| Monitoring coverage/source map | Required systems and sources are connected |
| SIEM/IDS/IPS/EDR rule configuration | Detection logic is implemented |
| Alert threshold review records | Rules are tuned and maintained |
| Alert triage records | Alerts are evaluated |
| Incident response records | True positives are escalated and handled |
| Out-of-hours escalation checklist/test | Alerts can be handled outside normal hours |
| Monitoring metrics | Alert fatigue and performance are reviewed |
Strong evidence
- Detection use cases trace to risk scenarios and critical services.
- Monitoring sources cover identity, endpoints, servers, networks, cloud, applications, and security tools where relevant.
- Alert thresholds are tuned and periodically reviewed.
- Alerts show triage decisions and escalation where needed.
- True positives link to incident records and corrective actions.
- Blind spots are documented with compensating controls or risk acceptance.
- Out-of-hours escalation has named contacts and test evidence.
Weak evidence
- A SIEM exists but default rules are not reviewed.
- Alerts are generated but no one owns triage.
- Monitoring covers perimeter devices only and misses identity, cloud, or endpoints.
- Thresholds create constant noise and ignored alerts.
- No one can explain what an alert means or what action follows.
- Out-of-hours alerts depend on informal personal contact.
- Monitoring rules are not updated after incidents or environment changes.
Common failures
Implementation watchouts
A.8.16 fails when monitoring becomes a noisy dashboard instead of a risk-based detection and response process.
| Failure | Why it matters |
|---|---|
| Tool-first implementation | Default alerts may not match organizational risk |
| No detection use cases | Monitoring cannot be traced to threats or risks |
| Poor source coverage | Incidents may occur in blind spots |
| No threshold tuning | False positives overwhelm analysts |
| No triage ownership | Alerts are produced but not evaluated |
| Weak escalation | Potential incidents are not handled quickly |
| No out-of-hours process | Attacks outside business hours are delayed |
| No effectiveness review | Rules become stale as systems and threats change |
Exam traps
Exam focus
A.8.16 is about monitoring for anomalous behaviour and evaluating potential incidents. It is not satisfied by log collection alone.
| Trap | Correct interpretation |
|---|---|
| Monitoring is the same as logging | Logging creates records; monitoring detects anomalies and potential incidents |
| SIEM/IDS/IPS presence proves compliance | Source coverage, rules, thresholds, triage, escalation, and tuning matter |
| Provider default rules are enough | Rules should be reviewed in the organization’s risk context |
| More alerts means better detection | Too many alerts can create event fatigue and missed incidents |
| Only perimeter traffic needs monitoring | Identity, endpoints, cloud, applications, and critical systems may also be needed |
| In-hours monitoring is enough | Out-of-hours escalation should be defined where risk requires it |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.15 Logging
- A.8.7 Protection Against Malware
- A.8.8 Management of Technical Vulnerabilities
- A.8.12 Data Leakage Prevention
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.27 Learning from Information Security Incidents
- A.5.28 Collection of Evidence
- Risk Assessment
- Statement of Applicability
- Logging and Monitoring Standard
- Monitoring Detection Use Case Register
- Monitoring Coverage and Data Source Map
- Monitoring Alert Threshold Review
- Out-of-Hours Monitoring Escalation Checklist
- A.8.16 Audit Evidence Pack
- A.8.16 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.16 turns technical signals into detection and response. Strong implementation proves that important risks have detection use cases, the right data sources are monitored, alerts are tuned, triaged, escalated, and improved over time.
- Define monitoring from risk and critical assets.
- Map each detection use case to a data source.
- Tune alert thresholds to reduce noise and missed detections.
- Connect alerts to event assessment and incident response.
- Review blind spots, false positives, out-of-hours response, and monitoring effectiveness.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Monitoring
- Incident detection
- Audit
Note Metadata
Aliases: A.8.16, Monitoring Activities, Security Monitoring
Source: 05 Annex A Technological Controls/A.8.16 Monitoring Activities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
13
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
- A.8 Technological Controls MOC
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- A.8.16 Audit Evidence Pack
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.16 Monitoring Activities
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-034 - Monitoring Activities
- EXAM-035 - Software Installation and Network Security
- EXAM-036 - Network Services, Segregation, and Web Filtering
- ISO 27002 Annex A Control Interpretation Map
- A.8.16 Audit Checklist
- Emergency Change Record
- Logging and Monitoring Standard
- Monitoring Alert Threshold Review
- Monitoring Coverage and Data Source Map
- Monitoring Detection Use Case Register
- Network Monitoring and Corrective Action Register
- Network Security Architecture and Zoning Standard
- Out-of-Hours Monitoring Escalation Checklist
- Virtual Network and Hypervisor Security Review
- Web Filtering Coverage Review
- Annex A Controls MOC