Following quickly on the heals of ISO27001 Annex A control (A5.15 - Logging) comes the requirement for you to monitor your systems, applications and network. Afterall, if you’re logging information you need to ensure someone (or some system) is looking at what’s actually happening and reacting to what is going on.
What does the standard require?
The standard states that “Networks, systems and applications shall be monitored for anomalous behaviours and appropriate actions taken to evaluate potential information security incidents.” (A8.16 – Monitoring Activities)
Why is this required?
With so much happening on your systems, or in your information processing facilities, it is important to ensure someone is monitoring this activity and responding appropriately. For example, there’s little point in having CCTV in place, unless they are recording (i.e. logging) activity, and someone is monitoring what is being recorded. You might have automated systems which monitor activity around your premises and alert you or your security team to the presence of intruders.
Without someone monitoring your systems, networks, applications you can’t evaluate what is happening and take appropriate action. This can lead to disruption or data breaches, because you are not able to respond effectively, or quickly enough. For example, without someone (or some system) monitoring network traffic, you might miss the fact that data is being exfiltrated on a daily basis at 2am, and sent to foreign shores. Or you might not notice someone accessing, or attempting to access a system which contains highly sensitive information.
Logging the fact that these actions are taking place is only part of the story. There’s really no point in logging information if no one is actually monitoring the logs and doing something with them.
The Post Office 'Horizon' scandal, where hundreds of postmasters wrongly accused of fraud, is possibly one of the biggest miscarriages of justice in the UK and a good example of systems not being monitored correctly. Of course there are many aspects to this scandal, not least of which is the personal impact on those wrongly accused, but also on the reputation of the Post Office. However, if they had correctly implemented logging and monitoring of the system, then perhaps they would have discovered much sooner the fact hundreds of people were all saying the same thing.
To put it simply; Without monitoring in place, you might miss what is going on, so what is the point of logging anything?
What the auditor is looking for
For this ISO27001 control, the auditor will expect to see a variety of security measures that might include;
Information security event reporting process (A6.8 - Information security event reporting)
Security Incident and Event Management (SIEM) technology
Intrusion detection and/or intrusion prevention systems (IDS/IPS)
User Access Monitoring
Risk Register.
Audit plans and results
Escalation and communication plans (A5.25 - Assessment and decision on information security events)
Incident logs (A5.28 - Collection of evidence)
Awareness, education and training (A6.3 - Information security awareness, education and training)
Management Review Meeting minutes and actions.
What do you need to do?
Note that this control specifically talks about networks, systems and applications, and therefore some might believe this is purely about your IT systems. However, for completeness, include how you monitor all systems, including physical security systems such as CCTV, intruder alarms, fire and smoke alarms, flood defences, and other environmental alarms and alerts.
The whole purpose of this ISO27001 control is to ensure you have early warning of events that can be evaluated for their potential to become information security incidents.
Speak to your IT team about what logs are currently being produced and how the logs are being monitored. Is this an automated system? What is the escalation process?
For example, we worked with a company who had ‘triggers’ set within their system that sent alerts to a centralised email account, should there be any significant breach of a systems threshold. However, when we spoke to their team, it quickly became apparent that monitoring of this email account was ad hoc at best, meaning that early warning signs that there was an issue were being missed. This led to several incidents which affected the business. We quickly resolved the issue by assigning a named individual with the responsibility of monitoring the email account.
Once you have established what is being logged, you need to determine what needs to be monitored. For example, do you need to monitor who goes into and out of a particular part of the building or system? If so, you need to establish who, or what is monitoring this, and what happens if there is an issue.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. Like the ISO27001 Annex A control, A8.15, this control requires some level of technical capability, but it requires an understanding of what is needed in terms of monitoring. Therefore, speak to asset and system owners to establish how critical the informational assets are and what systems or services should be monitored,.
Q&A
Do I need to buy a monitoring system?
No, you don’t need to buy a system. Of course it might make your job easier, and this is especially true if you have a particularly complex system or network. There are Security Incident Event Monitoring (SIEM) tools that will make it easier, but it still needs a process for evaluating and responding to the alerts. Don’t simply implement a SIEM and think your job is done!
We have implemented simple processes where logs or alerts are produced and sent to a centralised email box, which is then monitored by a designated individual or role (e.g. Service Desk Team Leader). Then, they have the responsibility to effectively respond to what is presented to them.
Our advice is to start simply, and understand what is being logged and who is looking at it. You can then decide if you need to buy a system to make this easier and more effective for you and your business
More questions?
You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.
Comments