ISO 27001:2022 Annex A Control 8.16

Compliance Guidelines for ISO 27001:2022 Annex A 8.16

Generally, monitoring should be conducted as per regulatory requirements and prevailing legislation, with any records retained as per the company’s retention policy.

The following processes (see Annex A Control 5.25) should be implemented alongside reporting suspected events to all relevant personnel:

• Auditing.
• Security and risk evaluation.
• Vulnerability scanning.
• Monitoring.

An organisation’s monitoring program should include the following elements:

• Traffic to and from applications, both inbound and outbound.

Platforms that are critical to the operation of the business, including (but not limited to):

• Systems.
• Servers.
• Networking hardware.
• The monitoring system itself.
• Configuration files
• Event logs from security equipment and software platforms.
• Code checks to ensure that any executable program is both authorised and temper-free.
• Use of computing, storage, and networking resources.

Guidance on Behavioural Analysis

To identify abnormal behaviour across networks, organisations should gain a firm understanding of regular user activity and network behaviour, including:

• Processes and applications are abruptly closed or terminated.
• Network traffic originating from or originating from problematic IP addresses or external domains.
• Methods of intrusion well known to the industry (e.g. DDoS attacks).
• Malicious system behaviour (such as keylogging).
• Bottlenecks in the network or high latency or ping.
• Accessing or scanning data, domains, and applications without authorisation or explanation.
• Any attempt to access business-critical ICT resources (such as domain controllers, DNS servers, file servers, and web portals).

To establish a satisfactory baseline, organisations should monitor the use of their networks and access times during regular working hours.

Guidance on Tools for Monitoring

An organisation should optimise its monitoring efforts by employing specialised monitoring tools tailored to the type of network and traffic it deals with daily.

A monitoring tool should be able to perform the following functions:

1. The ability to handle large amounts of monitoring data.
2. React to suspicious data, usage patterns, and user behaviour, as well as one-off activities.
3. Monitor any changes in risk level and modify monitoring activities accordingly.
4. Inform organisations of abnormal activity in real-time via proactive alerts with a minimum amount of false positives (see Annex A Control 5.26).
5. Maintain continuous monitoring operations by relying on the redundancy of the applications to maintain an adequate level of monitoring.

Guidance on Security Monitoring

Monitoring security should be optimised by:

1. The use of dedicated threat intelligence systems (see Annex A Control 5.7) and intrusion detection systems.
2. The use of machine learning platforms.
3. IP management platforms and email security software support whitelists, blacklists, block lists, and allow lists.
4. The integration of logging and monitoring activities into a single end-to-end process.
5. Dedicated to the detection and prevention of well-known intrusion methods and malicious activity, such as the use of botnets or denial of service attacks.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.25
• ISO 27001:2022 Annex A 5.26
• ISO 27001:2022 Annex A 5.7

What Are the Changes From ISO 27001:2013?

It is important to note that ISO 27001:2022 Annex A 8.16 is a newly added control not included in ISO 27001:2013.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Helps

With ISMS.online, you can manage information security within your organisation efficiently, identify risks and develop controls to mitigate those risks. You will then learn how to implement these controls within your organisation.

Contact us today to book a demo.