ISO27001A.8.16voice-validated
ISO27001 A.8.16: A.8.16
ISO/IEC 27001:2022 Information Security Management
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.16.)
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. Monitoring for anomalous login patterns, such as unusual times, locations, or frequency, directly supports detecting unauthorized use of valid accounts as required by ISO27001 A.8.16. | 90% |
| T1133 | 1. Detection of unusual access attempts or usage patterns for external remote services identifies anomalous behaviour, aligning with ISO27001 A.8.16's monitoring requirement. | 90% |
| T1059 | 1. Monitoring for suspicious command execution or script activity on systems and applications is crucial for detecting anomalous behaviour, as mandated by ISO27001 A.8.16. | 90% |
| T1547 | 1. Detecting unauthorized modifications to system autostart mechanisms identifies anomalous persistence, directly supporting the monitoring requirements of ISO27001 A.8.16. | 90% |
| T1068 | 1. Identifying patterns indicative of exploit attempts or unusual process elevation on systems detects anomalous behaviour, fulfilling ISO27001 A.8.16's monitoring objective. | 90% |
| T1070 | 1. Monitoring for attempts to clear logs or remove forensic artifacts on systems detects anomalous behaviour indicative of defense evasion, as required by ISO27001 A.8.16. | 90% |
| T1036 | 1. Detecting processes or files using deceptive names or locations on systems and applications identifies anomalous behaviour, directly supporting ISO27001 A.8.16. | 90% |
| T1003 | 1. Monitoring for tools or behaviours associated with extracting credentials from operating systems detects anomalous activity, aligning with ISO27001 A.8.16's monitoring requirement. | 90% |
| T1046 | 1. Identifying internal network scanning activities detects anomalous behaviour on networks, as mandated by ISO27001 A.8.16 for evaluating potential incidents. | 90% |
| T1087 | 1. Detecting enumeration of user accounts or groups on systems identifies anomalous behaviour, directly supporting the monitoring requirements of ISO27001 A.8.16. | 90% |
| T1021 | 1. Monitoring for unusual remote access or service usage between internal systems detects anomalous lateral movement, fulfilling ISO27001 A.8.16's monitoring objective. | 90% |
| T1005 | 1. Detecting unusual access, modification, or staging of sensitive local files on systems identifies anomalous behaviour, as required by ISO27001 A.8.16. | 90% |
| T1071 | 1. Identifying unusual network traffic patterns or C2 communication over common protocols detects anomalous behaviour on networks, directly supporting ISO27001 A.8.16. | 90% |
| T1041 | 1. Detecting large or unusual data transfers outbound over C2 channels identifies anomalous exfiltration, aligning with ISO27001 A.8.16's monitoring requirement. | 90% |
| T1486 | 1. Monitoring for rapid file encryption or other ransomware indicators on systems and applications detects anomalous behaviour, as mandated by ISO27001 A.8.16. | 90% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1. Robust event logging provides the necessary data for monitoring networks, systems, and applications, enabling the detection of anomalous behaviour as required by ISO27001 A.8.16. | 100% |
| M1016 | 1. Regular auditing and review of logs and system activities directly supports the identification and evaluation of anomalous behaviour, fulfilling ISO27001 A.8.16's incident evaluation requirement. | 100% |
| M1020 | 1. Implementing IOC detection mechanisms directly enables the identification of known malicious or anomalous patterns, supporting ISO27001 A.8.16's monitoring for anomalous behaviour. | 90% |
| M1040 | 1. Endpoint detection and response (EDR) capabilities monitor system and application behaviour for anomalies, directly addressing ISO27001 A.8.16's monitoring requirement. | 90% |
| M1048 | 1. Network Intrusion Detection Systems (NIDS) monitor network traffic for suspicious patterns and anomalous behaviour, directly supporting ISO27001 A.8.16's requirement to monitor networks. | 90% |
| M1031 | 1. While primarily preventative, Network Intrusion Prevention Systems (NIPS) include detection capabilities that identify and alert on anomalous network behaviour, contributing to ISO27001 A.8.16. | 80% |
| M1017 | 1. Effective user account management helps establish baselines for normal user activity, making anomalous account behaviour easier to detect and evaluate, as per ISO27001 A.8.16. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-778 | 1. A lack of comprehensive logging directly hinders the ability to monitor networks, systems, and applications for anomalous behaviour, preventing compliance with ISO27001 A.8.16. | 100% |
| CWE-862 | 1. Absence of proper authorization checks allows unauthorized actions to occur, which, if undetected by monitoring, represents a failure to identify anomalous behaviour as per ISO27001 A.8.16. | 90% |
| CWE-284 | 1. Weak access controls enable unauthorized activities, which monitoring aims to identify. If these controls are improper, anomalous behaviour may go undetected, violating ISO27001 A.8.16. | 90% |
| CWE-287 | 1. Flaws in authentication mechanisms allow attackers to bypass security, leading to anomalous system access that monitoring should flag, as required by ISO27001 A.8.16. | 90% |
| CWE-922 | 1. Misconfigurations create vulnerabilities that attackers exploit, resulting in anomalous system states or activity that monitoring must detect to comply with ISO27001 A.8.16. | 90% |
| CWE-200 | 1. If sensitive information is exposed due to undetected anomalous behaviour (e.g., exfiltration), it indicates a failure in the monitoring required by ISO27001 A.8.16. | 80% |
| CWE-798 | 1. Hard-coded credentials facilitate unauthorized access, leading to anomalous login or activity that monitoring systems are expected to identify and alert on, as per ISO27001 A.8.16. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0195 compute · voice-rubric self-validated