A.8.16 Monitoring Activities

What is this control?

ISO 27001 control A.8.16 Monitoring Activities detects anomalous behaviour and potential information security and privacy incidents through continuous 24/7/365 automated monitoring of activity across all managed systems. The control replaces passive manual monitoring with active technology-driven processes that analyse, correlate, and respond to log events collected in A.8.15. Microsoft Sentinel and Microsoft 365 Defender provide centralised visibility, intelligent analytics, and automated response capabilities.

How to implement in Microsoft 365

Implement A.8.16 by deploying Microsoft 365 Defender as primary XDR platform to automatically ingest and correlate alerts from Defender services into incidents with attack storylines. Deploy Microsoft Sentinel as central SIEM to ingest all log sources from A.8.15. Configure Microsoft Sentinel Analytics Rules written in KQL to continuously analyse logs for complex custom threats.

Enable built-in anomaly detections including impossible travel, mass file download, and Pass-the-Hash. Configure Sentinel Playbooks for SOAR to isolate affected devices, revoke sessions, block malicious IPs, and post alerts to Teams. Enable Microsoft Entra ID Protection for continuous risky user detection.

What an auditor looks for

Auditors will verify M365 Defender incidents are accessible via API with metadata captured. They will check security incident response rate is 70% or higher with incidents moved from New to In Progress or Resolved status. Auditors will verify detection rules are enabled and generating security alerts.

They will check Entra ID Identity Protection is enabled requiring P2 for risky user detection. Auditors will verify risk policies are configured for sign-in and user risk with automated Conditional Access enforcement. They will check Intune device compliance policies are configured and enforced.