Intrusion Detection Requirements for ISO 27001 Compliance
At Agency, we guide clients through implementing intrusion detection controls that satisfy ISO 27001 Annex A requirements while building genuine network security capability.
"Do we need an IDS for ISO 27001?" is a question we hear regularly at Agency, and the answer is more nuanced than most companies expect. ISO 27001 does not mandate a specific intrusion detection system — but the Annex A controls it references create requirements that are very difficult to satisfy without one. Here is how we help clients navigate this.
ISO 27001's approach to intrusion detection is characteristic of the framework as a whole: it defines control objectives rather than prescribing specific technologies. The 2022 revision of ISO 27001 reorganized Annex A controls and introduced new controls that make intrusion detection capabilities more explicitly expected than in previous versions. For companies pursuing ISO 27001 certification, understanding which Annex A controls relate to intrusion detection, what auditors expect as evidence, and how to implement detection capabilities cost-effectively is essential for both passing the certification audit and building a security program that actually detects threats.
This guide maps the relevant Annex A controls to intrusion detection requirements, compares IDS and IPS approaches, provides implementation guidance for different architecture types, and explains what ISO 27001 auditors evaluate during the certification and surveillance audits.
Relevant Annex A Controls
Primary Controls Related to Intrusion Detection
The 2022 revision of ISO 27001 (ISO/IEC 27001:2022) restructured Annex A into four themes: Organizational, People, Physical, and Technological controls. Intrusion detection falls primarily under the Technological controls category.
| Control | Title | Relevance to Intrusion Detection |
|---|---|---|
| A.8.16 | Monitoring activities | The most directly relevant control — requires the organization to monitor networks, systems, and applications for anomalous behavior and take appropriate action on potential security incidents |
| A.8.15 | Logging | Requires that logs be produced, stored, protected, and analyzed — log data is the foundation of intrusion detection; without proper logging, detection capabilities cannot function |
| A.8.20 | Networks security | Requires that networks and network devices be secured, managed, and controlled to protect information — intrusion detection is a core component of network security management |
| A.8.23 | Web filtering | Requires filtering access to external websites to reduce exposure to malicious content — web filtering data feeds into detection capabilities |
| A.8.7 | Protection against malware | Requires protection against malware combined with appropriate user awareness — malware detection is a form of intrusion detection |
| A.5.25 | Assessment and decision on information security events | Requires that information security events be assessed and classified as information security incidents — intrusion detection generates the events that this control evaluates |
Supporting Controls
| Control | Title | How It Supports Intrusion Detection |
|---|---|---|
| A.5.24 | Information security incident management planning and preparation | Defines incident response procedures triggered by intrusion detection alerts |
| A.5.26 | Response to information security incidents | Specifies how detected intrusions are contained and remediated |
| A.5.28 | Collection of evidence | Guides evidence preservation when intrusion detection identifies a security incident |
| A.8.9 | Configuration management | Ensures systems are configured according to security baselines — configuration drift can indicate compromise |
| A.8.10 | Information deletion | Ensures that log data retention policies balance detection needs with data minimization requirements |
What A.8.16 (Monitoring Activities) Actually Requires
A.8.16 is the control most directly tied to intrusion detection, and it is new in the 2022 revision (it did not exist as a standalone control in ISO 27001:2013). What we tell clients is that this control effectively creates an expectation for intrusion detection capability, even though it does not use the specific term "intrusion detection system."
The control guidance in ISO 27002:2022 specifies that monitoring should include:
| Monitoring Requirement | Implementation Through Intrusion Detection |
|---|---|
| Inbound and outbound network traffic | Network-based IDS/IPS monitoring traffic flows for malicious patterns |
| System and application access patterns | Host-based IDS monitoring authentication logs and access events |
| System and application configuration changes | File integrity monitoring detecting unauthorized modifications |
| Logs from security tools | Aggregation and correlation of alerts from IDS, firewalls, endpoint detection, and other security tools |
| Event logs related to authorized and unauthorized activities | SIEM correlation of events to identify patterns indicating intrusion |
IDS vs IPS: Choosing the Right Approach
Comparison for ISO 27001 Compliance
| Dimension | Intrusion Detection System (IDS) | Intrusion Prevention System (IPS) |
|---|---|---|
| Function | Monitors and alerts on suspicious activity; does not block traffic | Monitors, alerts, and actively blocks detected threats |
| Deployment | Passive — mirrors traffic for analysis; does not sit inline | Inline — traffic flows through the IPS; can drop malicious packets |
| Risk of disruption | None — IDS cannot affect traffic flow | Moderate — false positives can block legitimate traffic |
| ISO 27001 compliance value | Satisfies monitoring and detection requirements (A.8.16) | Satisfies monitoring requirements and adds active protection |
| Operational overhead | Lower — alerts require human review but no tuning risk of blocking legitimate traffic | Higher — requires ongoing tuning to minimize false positives |
| Best for | Organizations implementing detection for the first time; environments where availability is critical | Organizations with mature security operations that can manage inline blocking |
Our Recommendation
What we recommend for most clients pursuing ISO 27001 is starting with IDS capabilities and evolving to IPS as the security operations maturity increases. ISO 27001 auditors care primarily about detection and response — they want to see that your organization can identify potential intrusions and respond appropriately. Whether you actively block the traffic in real-time (IPS) or detect and respond to it through incident response procedures (IDS) is an implementation choice, not a compliance requirement. Starting with IDS avoids the operational risk of inline blocking while satisfying the monitoring requirements of A.8.16.
Implementation Approaches
By Infrastructure Type
| Infrastructure | Recommended Approach | Tools and Services | Implementation Effort |
|---|---|---|---|
| AWS cloud-native | AWS GuardDuty for threat detection; VPC Flow Logs for network monitoring; CloudTrail for API activity monitoring; AWS Security Hub for aggregation | GuardDuty, CloudTrail, VPC Flow Logs, Security Hub | Low to moderate — GuardDuty is enablement-based with minimal configuration |
| Azure cloud-native | Microsoft Defender for Cloud for threat detection; Azure Network Watcher for network monitoring; Azure Sentinel for SIEM and correlation | Defender for Cloud, Network Watcher, Sentinel | Moderate — Sentinel requires query configuration and alert rule setup |
| GCP cloud-native | Security Command Center for threat detection; VPC Flow Logs and Packet Mirroring for network monitoring; Chronicle for SIEM | Security Command Center, Chronicle, VPC Flow Logs | Moderate — Chronicle integration requires configuration for custom detection rules |
| Hybrid (cloud + on-premises) | Cloud-native tools for cloud environments; Suricata or Zeek for on-premises network monitoring; centralized SIEM for correlation | Cloud-native tools + Suricata/Zeek + SIEM (Splunk, Elastic, Datadog) | High — requires integration across multiple environments and a centralized correlation platform |
| Fully on-premises | Network-based IDS (Suricata, Snort) at network perimeter and internal segments; host-based IDS (OSSEC, Wazuh) on critical servers; SIEM for correlation | Suricata/Snort, OSSEC/Wazuh, SIEM platform | High — requires dedicated infrastructure, sensor deployment, and ongoing rule management |
Implementation Phases
What we recommend to clients is a phased approach that builds detection capability progressively while satisfying ISO 27001 requirements at each stage.
| Phase | Timeline | What to Implement | ISO 27001 Controls Addressed |
|---|---|---|---|
| Phase 1: Foundation | Weeks 1-4 | Enable cloud-native security monitoring (GuardDuty, Defender, SCC); configure centralized logging; establish log retention policies | A.8.15 (Logging), A.8.20 (Network security) |
| Phase 2: Detection | Weeks 5-8 | Configure threat detection rules; establish alert routing and escalation; implement network traffic monitoring | A.8.16 (Monitoring activities), A.8.7 (Malware protection) |
| Phase 3: Response integration | Weeks 9-12 | Connect detection alerts to incident response procedures; establish investigation workflows; configure automated alert enrichment | A.5.24 (Incident management planning), A.5.25 (Event assessment), A.5.26 (Incident response) |
| Phase 4: Maturity | Ongoing | Tune detection rules based on false positive rates; add custom detection for organization-specific threats; implement correlation across sources; conduct detection testing exercises | A.8.16 (Monitoring activities — continuous improvement) |
Tools and Vendors
Intrusion Detection Tool Landscape
| Category | Tools | Cost Range (Annual) | Best For |
|---|---|---|---|
| Cloud-native detection | AWS GuardDuty, Azure Defender, GCP Security Command Center | $3,000-$25,000 depending on usage | Cloud-first organizations; lowest implementation overhead |
| Open-source network IDS | Suricata, Snort, Zeek | Free (software) + $10,000-$50,000 (infrastructure and labor) | Organizations with security engineering resources; on-premises or hybrid environments |
| Open-source host IDS | Wazuh, OSSEC | Free (software) + $10,000-$40,000 (infrastructure and labor) | Server-level detection; file integrity monitoring; compliance-focused detection |
| Commercial SIEM | Splunk, Datadog Security, Elastic Security | $15,000-$150,000+ depending on data volume | Organizations needing centralized correlation across multiple detection sources |
| Managed detection and response (MDR) | Arctic Wolf, Expel, Red Canary, CrowdStrike Falcon Complete | $30,000-$150,000+ depending on scope | Organizations without dedicated security operations teams; 24/7 monitoring capability |
| Endpoint detection and response (EDR) | CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint | $20-$50 per endpoint per month | Host-level threat detection and response; complements network-based detection |
Vendor Selection for ISO 27001
What we tell clients is that the vendor selection should be driven by three factors: infrastructure type, security operations maturity, and budget. Cloud-native organizations with limited security staff should start with cloud-native detection tools (GuardDuty, Defender, SCC) combined with a managed detection and response service. Organizations with dedicated security teams can consider open-source or commercial SIEM solutions that provide more customization but require more operational investment.
Evidence Requirements for ISO 27001 Auditors
What Auditors Evaluate
| Evidence Type | What the Auditor Expects | Common Gaps We See |
|---|---|---|
| Monitoring policy | Documented policy defining what is monitored, how monitoring is performed, who reviews alerts, and escalation procedures | Policy exists but does not cover all systems within the ISMS scope; policy is generic and not tailored to the organization |
| System architecture documentation | Diagram showing where detection capabilities are deployed relative to network architecture and data flows | Detection deployment does not cover all network segments within the ISMS scope; documentation is outdated |
| Alert configuration evidence | Screenshots or exports showing configured detection rules, alert thresholds, and notification routing | Alerts are configured but only for a subset of systems; default rules are in place without customization |
| Alert review evidence | Records showing that alerts are reviewed by qualified personnel within defined timeframes | No evidence of regular alert review; alerts are generated but accumulate without response |
| Incident response integration | Evidence that detection alerts feed into incident response procedures with documented escalation paths | Detection and incident response are disconnected; alerts exist but no documented process for triaging and escalating them |
| Log retention evidence | Evidence that logs supporting detection are retained according to the defined retention policy | Logs are overwritten before the retention period expires; retention policy does not specify detection-relevant log sources |
| Testing evidence | Records of detection capability testing (tabletop exercises, purple team exercises, or detection rule testing) | No evidence that detection capabilities have been tested — the organization assumes they work without verification |
Surveillance Audit Considerations
ISO 27001 certification involves an initial certification audit followed by annual surveillance audits and a recertification audit every three years. What we tell clients is that auditors pay particular attention to intrusion detection during surveillance audits because it is an operational control — they want to see that detection capabilities have been maintained, alerts have been reviewed consistently, and incidents have been managed through the defined process.
| Audit Stage | Intrusion Detection Focus |
|---|---|
| Stage 1 (documentation review) | Monitoring policy exists; detection capabilities are described in the Statement of Applicability; risk assessment identifies threats that detection addresses |
| Stage 2 (implementation audit) | Detection tools are deployed; alerts are configured; evidence of alert review and incident response; logs are being collected and retained |
| Surveillance audit (Year 1) | Continuous operation of detection capabilities; evidence of alert review over the surveillance period; any incidents detected and managed; improvement actions from initial audit addressed |
| Surveillance audit (Year 2) | Same as Year 1; auditor may request evidence of detection rule updates or tuning; evidence of detection testing exercises |
| Recertification audit (Year 3) | Full reassessment of detection capability maturity; evidence of continuous improvement in detection coverage and effectiveness |
Integration with the Broader ISMS
How Intrusion Detection Connects to ISMS Processes
| ISMS Process | Integration with Intrusion Detection |
|---|---|
| Risk assessment (Clause 6.1) | Detection requirements are derived from risk assessment findings — threats identified in the risk assessment should have corresponding detection controls |
| Statement of Applicability (Clause 6.1.3) | A.8.16, A.8.15, A.8.20, and related controls are declared applicable with implementation descriptions referencing specific detection tools and processes |
| Incident management (A.5.24-A.5.28) | Detection alerts are the primary input to the incident management process; detection capabilities must be calibrated to generate events that the incident response team can evaluate |
| Internal audit (Clause 9.2) | Internal audits should test detection effectiveness — not just that tools are deployed but that they actually detect test scenarios |
| Management review (Clause 9.3) | Detection metrics (alerts generated, alerts reviewed, incidents detected, false positive rates) should be reported to management as part of ISMS performance reporting |
| Continual improvement (Clause 10.1) | Detection rule updates, coverage expansion, and false positive reduction are improvement actions that demonstrate the ISMS is evolving |
Common ISMS Integration Mistakes
| Mistake | Impact | What We Recommend |
|---|---|---|
| Deploying detection tools without connecting them to the incident response process | Alerts are generated but never acted upon; auditor identifies a gap between detection and response | Define alert routing, triage procedures, and escalation paths before enabling detection alerts |
| Not including detection capabilities in the internal audit program | No evidence that detection effectiveness has been independently assessed | Include detection testing in the annual internal audit plan — test whether alerts fire for known attack patterns |
| Treating detection as a one-time implementation | Detection rules become stale; new threats are not covered; false positive rates increase over time | Establish a quarterly review cycle for detection rules; update rules based on threat intelligence and incident lessons learned |
| Not reporting detection metrics to management | Management review lacks security operations data; ISMS performance reporting is incomplete | Include detection metrics (alert volume, response times, incidents detected, false positive rates) in the management review input |
Key Takeaways
- In our experience, ISO 27001 control A.8.16 (Monitoring activities) — new in the 2022 revision — effectively creates an intrusion detection requirement even though ISO 27001 does not mandate a specific IDS product; companies that attempt ISO 27001 certification without detection capabilities will struggle to demonstrate compliance with this control
- What we recommend is starting with IDS (detection and alerting) rather than IPS (inline blocking), particularly for organizations implementing detection for the first time — auditors care about detection and response capability, not whether you actively block traffic inline, and IDS avoids the operational risk of false-positive traffic blocking
- In our experience, cloud-native organizations get the fastest path to compliance by enabling cloud-native detection tools (AWS GuardDuty, Azure Defender, GCP Security Command Center) as a foundation, then layering centralized log analysis and custom detection rules on top
- What we tell clients is that the most common audit finding related to intrusion detection is not the absence of detection tools but the absence of evidence that alerts are reviewed and acted upon — deploying an IDS is necessary but not sufficient; you must demonstrate an operational alert review process
- We recommend a phased implementation approach: logging foundation first, then detection rules, then incident response integration, then maturity activities — this allows you to demonstrate progress toward compliance even before full detection capability is operational
- In our experience, the integration between intrusion detection and the broader ISMS is where most organizations fall short — detection capabilities must connect to risk assessment, incident management, internal audit, and management review processes to satisfy the ISO 27001 management system requirements
- We help clients select the right detection tools for their infrastructure, configure alerts that generate actionable evidence, and build the operational processes that auditors evaluate during certification and surveillance audits
Agency Team
Agency Insights
Expert guidance on cybersecurity compliance from Agency's advisory team.
LinkedIn
