This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.16 Monitoring activities.
ISO 27001: 2022 Control Description
Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
Purpose
To detect unusual behaviour and identify potential information security incidents.
Guidance on implementation
Setting Up Monitoring
- Determine Monitoring Scope:
- Define what needs to be monitored based on your business and security requirements. Make sure to consider relevant laws and regulations. Retain monitoring records for a set period, as determined by your organisation.
- What to Monitor:
- Consider including the following in your monitoring system:
- Inbound and outbound network, system, and application traffic.
- Access to systems, servers, networking equipment, monitoring systems, and critical applications.
- Critical system and network configuration files, especially those with admin-level access.
- Logs from security tools such as antivirus, intrusion detection systems (IDS), firewalls, and data leakage prevention systems.
- Event logs related to system and network activities.
- The execution of authorised code and verification that it hasn’t been tampered with.
- Resource usage (e.g. CPU, memory, bandwidth) and their performance levels.
- Consider including the following in your monitoring system:
Establishing a Baseline
- Create a Baseline:
- Establish what normal behaviour looks like in your systems. This will help identify anything out of the ordinary. When creating a baseline, consider:
- System usage during both normal and peak periods.
- Typical access times, locations, and frequencies for users or groups of users.
- Establish what normal behaviour looks like in your systems. This will help identify anything out of the ordinary. When creating a baseline, consider:
- Identify Anomalous Behaviour:
- Configure your monitoring system to detect behaviour that deviates from the baseline, such as:
- Unexpected termination of processes or applications.
- Activity linked to malware or connections from known malicious IP addresses.
- Known attack patterns (e.g. denial of service, buffer overflows).
- Unusual system activities (e.g. keystroke logging, process injection).
- Bottlenecks and network issues (e.g. high latency, jitter).
- Unauthorised access attempts to systems or data.
- Unauthorised scanning of applications, systems, and networks.
- Unusual user or system actions that differ from the expected behaviour.
- Configure your monitoring system to detect behaviour that deviates from the baseline, such as:
Implementing Continuous Monitoring
- Use Real-Time Monitoring:
- Employ monitoring tools that continuously watch for anomalies, either in real time or at regular intervals, depending on your organisation's needs and capabilities. Choose tools that can:
- Handle large data volumes.
- Adapt to evolving threats.
- Provide real-time alerts.
- Recognise specific signatures and behaviour patterns in data, networks, or applications.
- Employ monitoring tools that continuously watch for anomalies, either in real time or at regular intervals, depending on your organisation's needs and capabilities. Choose tools that can:
- Automate Alerts:
- Configure your monitoring software to automatically generate alerts when predefined thresholds are crossed. Alerts can be sent through management consoles, emails, or instant messaging. Ensure that:
- The alert system is fine-tuned to reduce false positives.
- Staff are trained to respond effectively to alerts and interpret potential incidents.
- Redundant systems and processes are in place to handle alert notifications.
- Configure your monitoring software to automatically generate alerts when predefined thresholds are crossed. Alerts can be sent through management consoles, emails, or instant messaging. Ensure that:
Responding to Anomalies
- Communicate and Act:
- Report abnormal events to relevant teams to improve security audits, evaluations, vulnerability scans, and monitoring. Ensure procedures are in place to:
- Respond quickly to positive indicators from the monitoring system to minimise the impact of security events.
- Identify and address false positives, and adjust the monitoring software to reduce them in the future.
- Report abnormal events to relevant teams to improve security audits, evaluations, vulnerability scans, and monitoring. Ensure procedures are in place to:
Additional Information
- Enhancing Security Monitoring:
- Consider enhancing your monitoring by:
- Using threat intelligence systems.
- Leveraging machine learning and artificial intelligence.
- Implementing blocklists or allowlists.
- Conducting technical security assessments (e.g. vulnerability assessments, penetration tests) to help set baselines.
- Using performance monitoring tools to detect unusual behaviour.
- Combining log analysis with monitoring systems.
- Consider enhancing your monitoring by:
- Botnet Detection:
- Monitor for unusual communications, which could indicate a botnet (a group of compromised devices used for attacks like distributed denial of service). If an infected device is communicating with a controller, take immediate action to address the issue.