A.8.16 — Monitoring Activities

The SIEM fires 3,000 alerts per day. The security team has two analysts. After three weeks, they stop reading alerts entirely — they have learned that 99% are false positives. Then a real attack hides in the noise and goes undetected for four months. A.8.16 requires monitoring that actually works: tuned detection, manageable alert volumes and trained responders.

Monitoring turns passive logs into active defence. The control requires organizations to define what they monitor, establish baselines for normal behaviour, detect deviations and respond effectively.

What does the standard require?

Define monitoring scope. Determine which systems, networks and applications require active monitoring based on risk.
Establish behavioural baselines. Define what normal looks like — typical login times, data volumes, network patterns — so deviations can be detected.
Implement detection rules. Create alerts for known attack patterns (signature-based) and anomalous behaviour (behaviour-based).
Minimize false positives. Tune alerts to produce actionable signals with acceptable noise levels.
Ensure timely response. Monitoring alerts must reach trained responders who can investigate and act within defined timeframes.
Retain monitoring records. Keep records of alerts, investigations and outcomes for audit and continuous improvement.

In practice

Start with high-value detections. Focus on alerts that indicate real threats with high confidence: impossible travel, privilege escalation, lateral movement, mass file encryption, new admin account creation. Build a small set of high-fidelity detections before expanding.

Establish a monitoring baseline. Profile normal network traffic, authentication patterns and data access volumes over 30-60 days. Use this baseline to identify deviations — a user downloading 10 GB on a Saturday night stands out against a baseline of 200 MB on weekdays.

Implement tiered alerting. Critical alerts (active exploitation indicators) page the on-call analyst immediately. High alerts feed into a daily triage queue. Medium and low alerts are reviewed weekly. This prevents alert fatigue while ensuring critical events are never missed.

Consider managed detection and response. For organizations that cannot staff a 24/7 SOC, managed detection and response (MDR) services provide continuous monitoring by external analysts using your log data and endpoint telemetry.

Typical audit evidence

Auditors typically expect the following evidence for A.8.16:

Monitoring policy — documented scope, alert levels and response procedures (see IT Operations Policy in the Starter Kit)
SIEM dashboard or reports — evidence of active monitoring
Detection rule inventory — documented rules with rationale
Alert triage records — evidence that alerts are reviewed and investigated
Response metrics — mean time to detect and mean time to respond

KPI

Percentage of critical systems covered by active security monitoring

Measured as a percentage: how many critical systems feed data into your monitoring platform with active detection rules? Target: 100%.

Supplementary KPIs:

Mean time to detect (MTTD) security events
False positive rate per detection rule
Percentage of alerts triaged within defined SLA

BSI IT-Grundschutz

A.8.16 maps to BSI modules for security event detection:

DER.1 (Detection of Security Events) — the core module. Requires centralized event evaluation, documented detection rules, trained analysts and defined escalation procedures.
OPS.1.1.1 (General IT Operations) — operational monitoring as a foundation for security monitoring.

A.8.15 — Logging: Logging provides the data that monitoring analyses.
A.8.17 — Clock Synchronization: Synchronized clocks are essential for correlating events across systems.
A.5.24 — Information Security Incident Management Planning and Preparation: The incident response process that monitoring feeds into.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.16 — Monitoring activities
ISO/IEC 27002:2022 Section 8.16 — Implementation guidance for monitoring activities
BSI IT-Grundschutz, DER.1 — Detection of Security Events

Frequently asked questions

What is the difference between logging (A.8.15) and monitoring (A.8.16)?

Logging (A.8.15) is about recording events — creating and protecting log data. Monitoring (A.8.16) is about actively analysing that data to detect anomalies and security incidents. Logging is the input; monitoring is the analysis.

Do we need a 24/7 SOC?

ISO 27001 does not require a 24/7 SOC, but it requires effective monitoring. For small organizations, automated alerting with on-call response may suffice. For larger or higher-risk organizations, a SOC (internal or managed) is the practical standard.

How do we reduce false positives?

Tune detection rules over time based on your environment. Establish a baseline of normal behaviour first, then alert on deviations. Use threat intelligence to prioritize high-fidelity alerts. Accept that some tuning effort is ongoing.

Responsible	IT Security Officer
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, HR Manager, Head of IT, IT Administrator, IT Security Officer, Incident Response Team, Risk Owner, Software Developer / Architect
Informed	All Employees, Data Protection Officer, Head of IT, IT Security Officer, Incident Response Team, Information Security Officer / (C)ISO, Legal Counsel, Risk Owner, Software Developer / Architect