Annex A 8.16 verified ISO/IEC 27001:2022
Monitoring Networks and Systems for Anomalous Behaviour
Regularly check networks and systems for unusual activity to address potential security threats.
record_voice_over
Plain language
This control is about regularly checking your business's computers and networks for anything unusual. It's like making sure there are no strangers hanging out in your yard. If you don’t do this, you might miss signs of a cyber-attack or data breach that could harm your business.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Detective
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
verified ISO/IEC 27001:2022 Annex A 8.16
priority_high
Why it matters
Without continuous monitoring, anomalous activity (e.g., unauthorised access or lateral movement) can go unnoticed, increasing breach impact and service disruption.
settings
Operational notes
Baseline normal network/system activity, centralise and correlate logs (SIEM), tune alerts for anomalies, and define triage and escalation steps to evaluate potential incidents.
02 — Implement
build
Implementation tips
- IT manager should set up and regularly update a monitoring system. Use software that keeps an eye on your network traffic and computer usage for anything out of the ordinary. This can help catch threats early and prevent them from getting worse.
- IT staff should define what 'normal behaviour' looks like for all systems and networks. They can do this by analysing usual activity levels during different times, such as peak work hours and downtime. This baseline makes it easier to spot unusual movements.
- Security team should configure alerts for suspicious activity. The monitoring tools should be able to notify the team immediately if they detect any strange activities. Make sure these alerts are fine-tuned to reduce false alarms and ensure real threats are prioritised.
- Business owner should involve someone to keep an eye on the alerts. Designate a team member responsible for responding to alerts. This person needs training on what different alerts mean and how to handle them properly.
- Compliance officer should ensure that data collection respects privacy laws. Check that your monitoring activities comply with the Australian Privacy Act 1988 and any other relevant legal requirements. This ensures that your customers’ and employees’ information remains confidential while it is being monitored.
03 — Audit
fact_check
Audit / evidence tips
-
Askthe monitoring policy document and system baseline
Goodpolicy will clearly outline procedures for both monitoring and responding to incidents
-
Askto see recent monitoring logs and alert reports
-
Askstaff about the process for handling alerts
Goodwill describe a clear process and recent examples of effective responses
-
Askany recent incident reports linked to network monitoring
-
Askif there have been any updates to the monitoring software or practices
04 — Mappings
link
Cross-framework mappings
How Annex A 8.16 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (10) expand_less | ||
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (3) expand_less | ||
| link Related (1) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (6) expand_less | ||
| ISM-1030 | ISM-1030 requires deploying a NIDS/NIPS at the gateway perimeter and generating event logs and alerts for traffic that contravenes firewa... | |
| ISM-1213 | ISM-1213 requires a specific post-intrusion activity: capturing full network traffic for at least seven days to confirm removal of an att... | |
| ISM-1607 | ISM-1607 focuses on integrity monitoring and centralised logging for server hardware shared via software isolation | |
| ISM-1976 | ISM-1976 requires security-relevant events for Apple macOS operating systems to be centrally logged | |
| ISM-1978 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
| ISM-2089 | ISM-2089 requires organisations to monitor AI model performance metrics and investigate anomalies in model behaviour or outputs | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0652 | ISM-0652 requires files identified as suspicious by content filtering to be quarantined pending review and release decision | |
| ISM-1431 | ISM-1431 requires organisations to agree denial-of-service (DoS) mitigation arrangements with cloud service providers, including monitori... | |
| ISM-1987 | ISM-1987 requires timely analysis of event logs from security products to detect cyber security events | |
| handshake Supports (21) expand_less | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have sufficient data sources and tools to monitor systems for key indicators of compromise | |
| ISM-0261 | ISM-0261 requires organisations to centrally log detailed web proxy activity to provide visibility of user web access and associated netw... | |
| ISM-0263 | ISM-0263 requires decryption and inspection of TLS traffic through gateways to enable security visibility into encrypted communications | |
| ISM-0585 | ISM-0585 requires log entries to include sufficient detail (time, user/process, filename where relevant, event description, and equipment... | |
| ISM-0634 | ISM-0634 requires central logging of gateway traffic and intrusion-related alerts to provide visibility of network flows through gateways | |
| ISM-1028 | ISM-1028 requires a NIDS/NIPS at network gateways to detect and/or prevent unauthorised or malicious traffic crossing organisational boun... | |
| ISM-1341 | ISM-1341 requires HIPS or EDR on workstations to detect suspicious activity and enable response at the endpoint | |
| ISM-1430 | ISM-1430 mandates stateful DHCPv6 use and centralized logging of lease data to support network monitoring | |
| ISM-1526 | ISM-1526 requires continuous monitoring of each system’s security and ongoing management of cyber threats, risks and controls based on sy... | |
| ISM-1537 | ISM-1537 requires organisations to centrally log a rich set of database security events so suspicious activity and misuse can be detected... | |
| ISM-1556 | ISM-1556 requires personnel returning from high-risk overseas travel with mobile devices to reset credentials and monitor user accounts f... | |
| ISM-1566 | ISM-1566 requires that use of unprivileged access is centrally logged so user activity can be monitored and investigated | |
| ISM-1650 | ISM-1650 requires central logging of privileged user account and security group management events | |
| ISM-1830 | ISM-1830 requires that security-relevant events on Microsoft AD-related servers are centrally logged | |
| ISM-1889 | ISM-1889 requires central logging of command line process creation events to improve visibility of potentially suspicious execution behav... | |
| ISM-1911 | ISM-1911 mandates centralised logging of software usage, errors, and crashes, which aids the monitoring and evaluation of anomalies under... | |
| ISM-1924 | ISM-1924 requires generative AI applications to evaluate user prompts to detect and mitigate prompt injection attempts that could cause u... | |
| ISM-1963 | ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged | |
| ISM-1970 | Annex A 8.16 requires monitoring networks, systems and applications for anomalous behaviour and then evaluating potential incidents | |
| ISM-2015 | ISM-2015 mandates central logging of non-internet API calls that modify or access sensitive data | |
| ISM-2051 | ISM-2051 mandates generating sufficient event logs for cybersecurity detection | |
| link Related (2) expand_less | ||
| ISM-0582 | Annex A 8.16 requires ongoing monitoring for anomalous behaviour across networks and systems and taking action to evaluate potential inci... | |
| ISM-1979 | Annex A 8.16 requires monitoring of networks, systems and applications for anomalous behaviour with actions taken to evaluate possible in... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.