ISO 27001 Control 8.16: Monitoring Activities

How to Spot Trouble Before It Becomes a Full-Blown Incident

ISO 27001 Control 8.16 Monitoring activities is about making sure you actually notice when something is going wrong – rather than finding out days later when a customer calls, or a regulator does.

Where logging (8.15) gives you the raw events, monitoring activities (8.16) is about:

• Watching those events and behaviours in near real-time
• Spotting suspicious or unusual activity
• Triggering a timely, proportionate response

Done well, monitoring activities give you early warning of attacks, misconfigurations and performance issues – and a far better chance of containing them before they cause real damage.

---

What ISO 27001 Control 8.16 Actually Requires

In plain English, ISO 27001 Control 8.16 – Monitoring activities expects you to:

• Decide what needs to be monitored (systems, networks, applications, users, cloud, suppliers)
• Define what “normal” looks like, so you can spot “not normal”
• Use monitoring tools and processes to detect suspicious or anomalous activity
• Generate alerts for significant security-relevant events
• Feed monitoring into your incident response and risk management processes
• Protect monitoring data and dashboards so they aren’t tampered with or misused

Monitoring activities under Control 8.16 build directly on:

• Logging (Control 8.15) – the raw data
• Access control and network security – the things you’re watching
• Incident management and business continuity – what you do when you see trouble

The key idea: monitoring activities should give you timely, actionable visibility, not just a firehose of noise.

---

Step 1 – Decide What You Will Monitor (and Why)

Start with the systems and services that matter most to the organisation.

Under ISO 27001 Control 8.16, your monitoring scope should cover:

• Networks and connectivity
  • Inbound and outbound traffic flows
  • VPN access, remote connections, exposed services
• User access and identities
  • Login activity (especially privileged accounts)
  • Privilege escalation and role changes
  • Unusual access locations or times
• Systems and endpoints
  • Processes, services, and system changes
  • File access to sensitive locations
  • Endpoint detection and response (EDR) events
• Security tools
  • Firewalls, IDS/IPS, web application firewalls
  • Anti-malware alerts, DLP alerts, email security events
• Applications and APIs
  • Authentication and session activity
  • Key transactions and configuration changes
  • Error patterns that could indicate abuse or exploitation
• Cloud services
  • Admin activity in cloud consoles
  • Changes to security groups, IAM roles, keys, policies
  • Unusual API calls or access patterns
• Supplier and integration points
  • Third-party access into your systems
  • Data flows to and from partner platforms

You don’t have to monitor everything at the same intensity, but you do need a clear view of where security incidents are most likely to appear and cause harm.

---

Step 2 – Establish a Baseline of “Normal” Behaviour

To detect anomalies, you need to know what “normal” looks like.

For ISO 27001 Control 8.16, that means:

• Normal user behaviour
  • Typical login times, locations, devices
  • Usual systems and data each role accesses
  • Typical volume and pattern of activity
• Normal system behaviour
  • Expected CPU, memory and disk utilisation ranges
  • Usual network traffic levels and patterns
  • Normal error rates for key applications
• Normal security events
  • Baseline level of failed logins, blocked traffic, malware detections
  • Usual number of alerts per day/week for each tool

Once you have baselines, you can configure monitoring activities to:

• Flag deviations (e.g. sudden spikes, out-of-hours admin actions, unusual data transfers)
• Prioritise events that are unusual and high-risk
• Gradually refine thresholds as you learn what’s noisy and what’s genuinely interesting

Over time, you can use behavioural analytics and machine learning to refine these baselines further, but you don’t need to start there – simple rules based on sensible thresholds are a good first step.

---

Step 3 – Implement Continuous Monitoring (Not Just Ad Hoc Checks)

ISO 27001 Control 8.16 is about ongoing monitoring activities, not “we look at logs when something seems odd”.

Typical building blocks:

• SIEM (Security Information and Event Management)
  • Centralises events and logs from key systems
  • Correlates related events from different sources
  • Generates alerts based on defined rules and patterns
• EDR (Endpoint Detection and Response)
  • Monitors endpoints for suspicious processes, behaviours and changes
  • Provides telemetry for investigations and automated containment options
• IDS/IPS and network monitoring
  • Detects suspicious network traffic and known attack signatures
  • Helps identify scanning, exfiltration, or unusual external connections
• Application and performance monitoring
  • Watches application health, latency, error rates
  • Often catches early signs of exploitation or misconfiguration
• Cloud-native monitoring
  • Cloud provider logging and monitoring (e.g. admin actions, policy changes, anomalous API calls)
  • Security posture management tools to watch for risky configurations

Monitoring activities should be as close to real-time as is sensible for the risk and the system – especially for internet-facing services and critical business applications.

---

Step 4 – Detect Anomalies and Respond Effectively

Having tools and dashboards is only useful if you also define what triggers action and what that action is.

For ISO 27001 Control 8.16:

Configure meaningful detection rules

Examples include:

• Multiple failed logins followed by a successful login from an unusual location
• Large or unexpected data transfers (e.g. sudden export of a whole database)
• New admin accounts or privilege escalations outside change windows
• Execution of unsigned or unusual code on servers or endpoints
• Communication with known malicious IPs or domains
• Repeated access attempts to restricted systems or data

Link alerts to your incident response process

When monitoring activities generate an alert, you should:

1. Triage – Is this a real issue or a likely false positive?
2. Correlate – Check related events in other systems (e.g. VPN logs, endpoint alerts).
3. Contain – If needed, isolate devices, disable accounts, block traffic.
4. Investigate – Build a timeline using logs and monitoring data.
5. Recover and learn – Restore services, close gaps, update rules and baselines.

Where it makes sense and is safe, use SOAR (Security Orchestration, Automation and Response) or simpler scripting to automate common responses (e.g. auto-locking an account after suspicious behaviour, isolating an endpoint when malware is detected).

---

Step 5 – Integrate Threat Intelligence into Monitoring Activities

ISO 27001 Control 8.16 is stronger when you combine internal monitoring with external knowledge about threats.

Useful approaches:

• Threat feeds and blocklists
  • Known malicious IPs, domains, file hashes
  • Industry or sector-specific threat advisories
• Enrichment in your SIEM
  • Add geo-IP, reputation scores, and threat context to events
  • Prioritise alerts linked to known active campaigns
• Use cases informed by current threats
  • Adjust detection rules as new attack patterns appear (e.g. new phishing methods, RDP abuse patterns, VPN exploits).
• Sector collaboration
  • Participate in ISACs or industry groups where relevant
  • Use shared indicators of compromise (IOCs) in your monitoring rules

The result: monitoring activities that track not only what’s unusual for you, but also what’s known to be dangerous in the wider world.

---

Step 6 – Protect and Govern Monitoring Data

Your monitoring systems and data are sensitive in their own right:

• They show how your environment is structured
• They contain details about users, systems and sometimes data flows
• They may include personal data and security weaknesses

For ISO 27001 Control 8.16 you should:

• Control access
  • Limit who can see monitoring dashboards, raw events and configuration.
  • Use strong authentication and role-based access control.
• Preserve integrity
  • Store monitoring data (and underlying logs) in tamper-resistant locations.
  • Hash or sign key data if you rely on it for forensic purposes.
• Protect confidentiality
  • Encrypt monitoring data in transit and at rest where it includes sensitive content or PII.
  • Mask or minimise personal data in dashboards and reports where possible.
• Audit monitoring systems themselves
  • Log and review admin actions within the SIEM, EDR console or other monitoring tools.
  • Regularly review configurations and rules for appropriateness and drift.

This ensures monitoring activities don’t become a new risk or a convenient blind spot.

---

Step 7 – Align Monitoring Activities with Legal and Regulatory Duties

Monitoring inevitably touches people and personal data, so you need to balance visibility with privacy and legal requirements.

For ISO 27001 Control 8.16:

• Be transparent where required
  • Ensure internal policies explain what monitoring is done and why.
  • Where employment or privacy laws require, inform staff appropriately.
• Minimise personal data
  • Only capture what you need for legitimate security purposes.
  • Apply retention limits consistently, including to monitoring data.
• Support audit and compliance
  • Ensure monitoring can produce evidence for standards like PCI DSS, SOC 2, sector regulations, etc.
  • Document your monitoring strategy, scope, and processes so you can explain and justify them.
• Coordinate with your DPO / legal function
  • Especially for behaviour analytics, deep user monitoring, or cross-border data flows.

That way, monitoring activities strengthen your compliance stance instead of creating new issues.

---

Quick Implementation Checklist for ISO 27001 Control 8.16

Use this to sanity-check your monitoring activities:

• ISO 27001 Control 8.16 (Monitoring activities) is described in your security monitoring/operations standard.
• You have defined which systems, networks, applications and cloud services are in scope for monitoring.
• Baselines for normal behaviour (users, systems, traffic) are understood and documented, at least for critical systems.
• You use appropriate tools (e.g. SIEM, EDR, IDS/IPS, cloud monitoring) to deliver continuous visibility.
• Detection rules and use cases are configured to spot high-risk anomalies, not just generic noise.
• Alerts are integrated with incident response, with clear triage and escalation paths.
• Threat intelligence is used to enrich events and update watchlists and rules.
• Monitoring data and tools are access-controlled, protected against tampering, and logged themselves.
• Monitoring activities and data handling align with privacy and regulatory requirements.
• Monitoring rules and coverage are reviewed regularly, especially after incidents or major changes.

---

Bringing It All Together

ISO 27001 Control 8.16 – Monitoring activities – is what turns logging from a passive archive into an active early-warning system.

If you:

• Clearly define what you’ll monitor and why,
• Establish baselines and use tools to watch for meaningful deviations,
• Tie monitoring into incident response and threat intelligence, and
• Protect and regularly refine your monitoring setup,

you’ll have a monitoring capability that not only satisfies ISO 27001 Control 8.16, but genuinely improves your ability to spot and contain security issues before they become major incidents.Extended thinking