ISO 27001 Annex A 8.16

Logs are evidence; monitoring is the process that turns evidence into detection.

ISO 27001 Annex A 8.16 - Monitoring Activities

Monitoring turns the logs and telemetry produced under A.8.15 into active detection. The control asks for monitoring of networks, systems and applications - looking for anomalous behaviour that may indicate a security incident, and taking appropriate action when anomalies appear. Without monitoring, logs are only useful in retrospect.

Effective monitoring combines automated alerting (where defined patterns trigger immediate notification) with periodic review (where humans look for patterns the automation misses). The balance depends on the scale - high-volume environments lean on automation; smaller environments may rely more on regular review of dashboards and reports.

Tuning is the part most organisations underestimate. Default monitoring rules generate enormous volumes of low-quality alerts that staff learn to ignore. Tuning to the actual environment, suppressing known-good patterns, and prioritising by impact turns the alerts into something staff can actually action. Untuned monitoring is often worse than no monitoring because it consumes attention without providing protection.

The audit test is whether the monitoring actually drives action. Alerts that pile up unread, dashboards that nobody looks at, reports that go out unread - all suggest the monitoring is operating as a compliance gesture rather than a control. The path from alert to action should be visible in the records.

Monitoring scope should match the threats the organisation faces. A retail business worries about payment card fraud and account takeover. A professional services firm worries about email compromise and data exfiltration. Tuning the monitoring to the actual threats - rather than monitoring everything possible - keeps the focus on what matters.

Practical Compliance Guidance

Monitoring arrangements are described in the IMS1 manual at section 8.3 on IT equipment alongside the wider information security arrangements. Monitoring tool configuration and alert records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the monitoring requirements and incident response triggers. Use as the source for monitoring scope and response.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What should we monitor?

Authentication anomalies, access to sensitive data, configuration changes, network traffic patterns, security tool alerts, and operational health that may indicate compromise. The exact scope should reflect the threat model and the systems in scope. Public-facing services typically need more intensive monitoring than internal-only ones.

How quickly should alerts be acted on?

Through defined response time targets that match the severity of the alert. Critical alerts indicating active compromise need response within minutes. Lower-severity alerts may have longer windows. The targets should be set in the policy and tracked as performance indicators.

Do we need 24/7 monitoring?

Depends on the threat model and the operational pattern. Organisations with critical online services or significant attack surface typically need 24/7 monitoring, often through a managed security operations centre. Smaller organisations or those with less time-sensitive operations may rely on business-hours monitoring with on-call escalation for critical alerts.

Further Resources