ISO 27001:2022 A 8.16 Monitoring activities

Monitoring of Network, systems and application is the cornerstone of any successful IT support and information security operation. It involves collecting and analyzing information to detect suspicious behavior or unauthorized system changes on your network, defining which types of behavior should trigger alerts, and taking action on alerts as needed. It is vitally important for organisations to promote a proactive approach to monitoring that seeks to prevent incidents before they happen, and works in tandem with reactive efforts to form an end-to-end information security and incident resolution strategy that ticks every last box. From hackers and malware, to disgruntled or careless employees, to outdated or otherwise vulnerable devices and operating systems, to mobile and public cloud computing, to third-party service providers, most companies are routinely exposed to security threats of varying severity in the normal course of conducting business. Given the ubiquitous, unavoidable nature of security risks, quick response time is essential to maintaining system security, and automated, continuous security monitoring is key to quick threat detection and response. This requires the management and monitoring of systems to identify unusual activity and to instigate appropriate incident responses. The control is regarding networks, systems and applications which should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.


Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.


To detect anomalous behavior and potential information security incidents.

ISO 27002 Implementation Guidance

The monitoring scope and level should be determined in accordance with business and information security requirements and taking into consideration relevant laws and regulations. Monitoring records should be maintained for defined retention periods. The following should be considered for inclusion within the monitoring system:

  1. outbound and inbound network, system and application traffic;
  2. access to systems, servers, networking equipment, monitoring system, critical applications, etc.;
  3. critical or admin level system and network configuration files;
  4. logs from security tools [e.g. antivirus, IDS, intrusion prevention system (IPS), web filters, firewalls, data leakage prevention];
  5. event logs relating to system and network activity;
  6. checking that the code being executed is authorized to run in the system and that it has not been tampered with (e.g. by recompilation to add additional unwanted code);
  7. use of the resources (e.g. CPU, hard disks, memory, bandwidth) and their performance.

The organization should establish a baseline of normal behavior and monitor against this baseline for anomalies. When establishing a baseline, the following should be considered:

  1. reviewing utilization of systems at normal and peak periods;
  2. usual time of access, location of access, frequency of access for each user or group of users.

The monitoring system should be configured against the established baseline to identify anomalous behavior, such as:

  1. unplanned termination of processes or applications;
  2. activity typically associated with malware or traffic originating from known malicious IP addresses or network domains (e.g. those associated with botnet command and control servers);
  3. known attack characteristics (e.g. denial of service and buffer overflows);
  4. unusual system behavior (e.g. keystroke logging, process injection and deviations in use of standard protocols);
  5. bottlenecks and overloads (e.g. network queuing, latency levels and network jitter);
  6. unauthorized access (actual or attempted) to systems or information;
  7. unauthorized scanning of business applications, systems and networks;
  8. successful and unsuccessful attempts to access protected resources (e.g. DNS servers, web portals and file systems);
  9. unusual user and system behavior in relation to expected behavior.

Continuous monitoring via a monitoring tool should be used. Monitoring should be done in real time or in periodic intervals, subject to organizational need and capabilities. Monitoring tools should include the ability to handle large amounts of data, adapt to a constantly changing threat landscape, and allow for real-time notification. The tools should also be able to recognize specific signatures and data or network or application behavior patterns. Automated monitoring software should be configured to generate alerts (e.g. via management consoles, email messages or instant messaging systems) based on predefined thresholds. The alerting system should be tuned and trained on the organization’s baseline to minimize false positives. Personnel should be dedicated to respond to alerts and should be properly trained to accurately interpret potential incidents. There should be redundant systems and processes in place to receive and respond to alert notifications. Abnormal events should be communicated to relevant parties in order to improve the following activities: auditing, security evaluation, vulnerability scanning and monitoring. Procedures should be in place to respond to positive indicators from the monitoring system in a timely manner, in order to minimize the effect of adverse events on information security. Procedures should also be established to identify and address false positives including tuning the monitoring software to reduce the number of future false positives.

Other information

Security monitoring can be enhanced by:

  1. leveraging threat intelligence systems;
  2. leveraging machine learning and artificial intelligence capabilities;
  3. using block lists or allow lists;
  4. undertaking a range of technical security assessments (e.g. vulnerability assessments, penetration testing, cyber-attack simulations and cyber response exercises), and using the results of these assessments to help determine baselines or acceptable behavior;
  5. using performance monitoring systems to help establish and detect anomalous behaviour;
  6. leveraging logs in combination with monitoring systems.

Monitoring activities are often conducted using specialist software, such as intrusion detection systems. These can be configured to a baseline of normal, acceptable and expected system and network activities. Monitoring for anomalous communications helps in the identification of botnets (i.e. set of devices under the malicious control of the botnet owner, usually used for mounting distributed denial of service attacks on other computers of other organizations). If the computer is being controlled by an external device, there is a communication between the infected device and the controller. The organization should therefore employ technologies to monitor for anomalous communications and take such action as necessary.

Security Monitoring is a process of continuously observing the behavior on an organization’s network or we can say keeping an eye on the traffic of an organization’s network which are intended to harm its data (data breach) and making cyber threats, if this happens it will send the alert to the security incident. The main importance of security monitoring is to preserve the following aspects:

  • Reputation
  • Privacy of User Data
  • Availability
  • Misuse of Organization Service

The extent to which you carry out monitoring activities should be determined in accordance with the security requirements from your risk assessment, and take into consideration relevant laws and regulations. Monitoring records should be retained for auditing purposes for a defined retention period. The following should be considered for inclusion within the monitoring system:

  1. outbound and inbound network, system and application traffic,
  2. records of access to physical and virtual systems or applications,
  3. monitoring of changes to configuration files,
  4. logs from security tools such as anti-malware or web filtering systems,
  5. event logs relating to system and user activity,

Monitoring should be first and foremost carried out in line with any regulatory requirements or prevailing legislation, and any records retained in accordance with company retention policy. Suspect events should be reported to all relevant personnel in order to maintain network integrity and improve business continuity alongside the following processes

  • Auditing
  • Security and risk evaluation
  • Vulnerability scanning
  • Monitoring

Organisations should include the following in their monitoring operation:

  • Both inbound and outbound network traffic, including data to and from applications
  • Access to business critical platforms, including (but not limited to) Systems, Servers, Networking hardware, the monitoring system itself
  • Configuration files
  • Event logs from security equipment and software platforms
  • Code checks that ensure any executable programs are both authorised and temper-free
  • Compute, storage and networking resource usage

Organisations should gain a firm understanding of normal user activity and network behavior, and use this as a baseline to identify anomalous behavior across the network, including:

  • Sudden closure or termination of processes and applications
  • Network traffic that is recognised as emanating to and/or from problematic IP addresses and/or external domains
  • Well-known intrusion methods (e.g. DDoS)
  • Malicious system behaviour (e.g. key logging)
  • Network bottlenecks and high ping and/or latency times
  • Unauthorised or unexplainable access to and/or scanning of data, domains or applications
  • Any attempts to access business critical ICT resources (e.g. domain controllers, DNS servers, file servers and web portals)
  • To establish a successful baseline, organisations should monitor network utilisation and access times at normal working levels.

The organisations should optimize its monitoring efforts using specialized monitoring tools that are suited to the type of network and traffic that they deal with on a daily basis. Monitoring tools should be able to:

  • Handle large amounts of monitoring data
  • React to suspect data, traffic and user behavior patterns and one-off activities
  • Amend any monitoring activities to react to different risk level
  • Notify organisations of anomalous activity in real time, through a series of proactive alerts that contain a minimal amount of false positives
  • Rely on an adequate level of application redundancy in order to maintain a continuous monitoring operation

Security monitoring should be optimized through:

  • Dedicated threat intelligence systems and intrusion protection platforms
  • Machine learning platforms
  • Whitelists, blacklists, block lists and allow lists on IP management platforms and email security software
  • Combining logging and monitoring activities into one end-to-end approach
  • A dedicated approach to well-known intrusion methods and malicious activity, such as the use of botnets, or denial of service attacks

There are many methods used by an attacker to make the website or application unavailable to the user by using method like DDoS attacks, injecting malicious code or commands, etc.

DDoS: DDos stands for Distributed Denial of Service. In this attack, an attacker sent large number of packets or we can say a request which is made continuously until an error occurs which also results in unavailability of resources provided by the organization.

Injecting Malicious Code or Command: When an attacker is injecting malicious code or command on different input field or URL endpoint then it can harm the privacy of user’s data. By identifying these kinds of commands or code and block them is suggested. So, to prevent these types of malicious attack security monitoring is configured and done to prevent, block or reject these types of requests

Cyber Security Threat Monitoring gives us the ability of real-time spectating on the network and helps us to identify unusual or malicious behavior on the network. This will help the cyber security or IT team to take prevention steps before the occurrence of the attack incident. Consider two main types of monitoring:

1. Endpoint Monitoring: Endpoints are the devices connected to a network like laptops, desktop, smartphones, cell-phones and IOT (Internet of Things) devices. Endpoint monitoring consist of analyzing the behavior of the devices connected to a specific network and analyze their behavior. It will help IT team to detect threat and they can take prevention measures when the behavior malicious, unusual or suspicious.

2. Network Monitoring: Network is the connection between different devices to communicate and share information and assets. Network Monitoring entails keeping an eye (tracking) and analyzing the network from which it will respond on the basis of the result network monitoring gets during monitoring. If the network components are not properly working means like component being overloaded, keeps crashing, slow etc. all that can lead to certain cyber threats and makes the system vulnerable.

There are many diagnostic tools which will keep diagnosing the components and keeps the logs of the result and if there is any disturbance or threat it will automatically notify the IT team instantly via many medium. From this the IT team can fix the error or problem. To prevent the organization from these kinds of cyber-attacks the organization have to monitor the network and packets which are being thrown toward the network and prevent any casualty from happening.

  1. Minimize Data Breach: Continuously monitoring of the network will help to detect any threat before the occurrence of the event and the organization can prevent these kinds of attacks from affecting the information that the company holds of their users and employees. So, doing continuous security monitoring will help effectively.
  2. Improve your Time to Respond to Attacks: Most organizations take security measures to prevent cyber threats and attacks, but what if the bad guys somehow successfully attacked the organization, then the organization must be ready to respond to the attack and fix it as soon as it is detected. Because the assets of the organization must be available to its user 24 x 7.
  3. Address Security Vulnerability: Every system has loop holes (vulnerability). Address Security Vulnerability means to address or find the vulnerability the network has. Vulnerability is hunted and fix before any bad guy can find and exploit it. This category also includes keeping all the protocols and firewalls up to date. Even many organizations organize Bug Hunting program. In bug hunting program the organization invites ethical hackers to ethically hack the system and make a report of the vulnerability so the organization can confirm the vulnerability and fix it, they also provide bounties, swags or hall of fame according to the severity of the vulnerability.
  4. Compliance with Standards and Regulations: The most basic and fundamental term of cyber security is Confidentiality, Integrity and Availability (CIA ). An organization is required to meet these set of rules for the possession of data. If even a single requirement is not met then it will increase the chances of vulnerability existence in the network which will also harm the reputation of the organization. So, by continuous cyber security monitoring will help to fix these kinds of problems.
  5. Reduce Downtime: Reduce down time means being ensure that organization’s network is fully functional and handle all operations Because networks downtime can harm the organization’s reputation and even financially. And if organization face any threats they should respond and fix it as soon as possible. So, continuous cyber security monitoring will decrease the chances of getting the sever or the network down.
  6. Nature of Threats has Changed: Cyber criminals are getting smarter and sharper day by day. They are always trying to get through the defense which any organization sets up for their network. Day by day cyber criminals are bringing up new attack, trick and tactics to perform their malicious activity. Best way to tackle these kinds of problems is by continuously monitoring the network.
  7. Rise in Remote Work: Organization have started using cloud services to provide the essentials to their employees who are working from home. But this causes a problem that is to do the access control so that an unauthorized person cannot get access to the data even if he tries. But then also this can lead to unauthorized access because there is always a way. So, it’s a good move to monitor the traffic and detect the threat or any unauthorized user trying to access should be blacklisted or blocked.
  8. Increase Productivity of the Employee: Employee plays an important role in any organization. Making the employee productive, that is the thing every organization wants. Focusing on the IT infrastructure will boost the productivity of the employee, because well-structured and secured network will help employees to focus on their core skills and job even can do their work faster. This can be done by keeping a security expert who will handle all the technical responsibilities will be great. So, this will boost the productivity of all the employees

Effective Steps for Cyber Security Monitoring
An organization should always be careful about the traffic which is going through their network because if it comes out to be a malicious packet then it will cost the organization its reputation and its money. So, precaution is better than cure. An organization should focus on its networks traffic by taking some effective and efficient steps.

  1. SIEM Tools and Software Solutions: A Security Information and Event Management platform plays an important role in any organization for security monitoring. Security Incident and Event Management is field where software and services are combined security information management and security event management. The work of Security Information and Event Management is to monitor and analyze log data efficiently then combine all the monitoring logs in one place to make the analyzing or further assessment easy. This will help the IT team to revise the logs and fix or even they can be prepared for further possible cyber threats.
  2. Trained Experts: All the tools we discussed before will do their work properly but this is not enough. A trained expert is important in the team. The person who understands the infrastructure will be much easier for them because the expert will know where to look and for what to look. But an experienced expert is much means those who have knowledge, understanding and ability to identify the threat and fix it as soon as possible. The expert will also know how to make the system much faster for the response to the attack means improving the speed when a cyber threat occurs.
  3. Trained Employees: Trained employees play a vital role as same a trained expert plays in an organization for its security. It is important factor to educate or train the employee or the staff about that how to protect the organization from malicious and abrupt attack the attacker might tries to perform on the organization. A well-trained employee will know the symptoms, effects or precautions that should be taken against some cyber-attacks. They will also understand the importance of cyber security in the organization.
  4. Managed Services: Managed services are the most important factor because an attacker can exploit the services which are not required. By setting the strong protocols and metric will help in improving security. An organization should use or enable only the required services because it will reduce the risks effectively. Some services can help the organization manage or monitor the services running on their network and system. A small mistake in managing the services can lead to a huge reputation or financial loss of a company.
  5. Identify Assets and Events which Needed to be Logged and Monitored: The strange events should be logged (recorded) and monitored. It gives two advantages. First is that if any data compromise occurs, the investigation team can find the attacker. Second is, the security team will analyze the event which is recorded to find the vulnerability and fix it.
  6. Establish Active Monitoring, Alerting and Incident Response Plan: So, here all organization cannot put team for blocking for rejecting every single, same type of event which can harm system so to fix this, three steps are followed
  7. Active Monitoring: Active monitoring is continuously monitoring the traffics using a SIEM (Security Information and Event Management) tool. The work of SIEM is to automate the process of monitoring. There are many SIEM tools available in the market which can be used.
  8. Incident Response: In incident response, the organization will preconfigure the SIEM tool, that which packet (request) should be accepted, rejected or blocked (blacklist) and it is decided on the basis of the structure or pattern of packet (request). Incident response are also done manually. If any big incident happens then the security professional creates a plan and takes instant decision to overcome the incident, this whole scenario is known as incident response.
  9. Alerting: Alerting is used to send alert notifications to the user or admin whose ID is configured. Basically, alerting is used when certain actions are made like if someone is trying to upload any malicious file, trying to brute force admin panel password, etc.
  10. Define the Need for Log and Monitoring By using log, security team can improve the security as per the log content. By using monitoring, the best advantage is automation means even if there is no interaction of any security professional monitoring can block, reject or blacklist any request.
  11. Keep Monitoring Plan, Firewall and Protocols Up-to-date: It is extremely essential to keep monitoring plan, firewall and protocols up-to-date because if any attacker gets the version of any service and if it is not at the latest version then the attacker can exploit that service and harm the organization. The update contains the latest bug fixes which makes system more secure.

Leave a Reply