Detection and Prevention in Information Security Management

What do prevention and detection mean?

Prevention refers to measures taken to prevent cyberattacks, while detection aims to identify attacks at an early stage.

Prevention encompasses all organizational and technical precautions designed to prevent security incidents from occurring in the first place - such as access controls, system hardening, or web filtering.

However, since no protection is complete, detection is becoming increasingly important: It involves the continuous monitoring of systems and activities to identify anomalies, suspicious patterns, or actual attacks as early as possible. Only the combination of both approaches enables companies not only to prevent security incidents but also to quickly detect, contain, and respond effectively to them in the event of an emergency.

Information Security Between Prevention and Early Attack Detection

The immense value of information and data in the business world of the 21st century is increasingly forcing companies and organizations to focus on information security management and data protection and to invest in the systematic protection of their digital assets. Why? In dynamic threat landscapes, attackers’ tactics are becoming increasingly sophisticated and multifaceted—resulting in serious damage to the image and reputation of affected companies and billions of dollars in economic losses worldwide each year due to inadequate information security.

Today’s cyber threat landscapes are thus changing rapidly. Accordingly, it is essential to keep the systematic safeguarding of information security constantly up to date with the latest technology and to further develop it - using a modern, broad, and flexible catalog of contemporary security measures. ISO/IEC 27001:2022 supports precisely this goal and introduces eleven new measures compared to the previous version; in the following, we will examine three of these in greater detail, as they are effective in attack prevention and detection.

Experts agree that there is no longer such a thing as complete protection against cyberattacks - if only because of the “human” factor. This makes it all the more important to detect potential and actual attacks early on in order to limit their lateral movement within corporate networks and keep the number of vulnerable systems as low as possible.

However, there is still a huge need for improvement in this area: Findings from IBM’s “Cost of a Data Breach Report 2025” show that companies currently take an average of 241 days to detect and contain an attack. While this is an improvement over 2022, when it took 277 days, it still highlights how long attacks often go undetected.

How does ISO 27001 enhance detection and prevention?

The standard provides structured and practical guidance for the implementation of the security measures outlined in Annex A. Newly included are generic measures that enable strategic attack prevention and faster detection.

In total, Annex A of ISO 27001 now comprises 93 measures, which have been reorganized into four subject areas as part of the update:

• Organizational measures
• Personnel-related measures
• Physical measures
• Technological measures

Three of these security controls relate to the prevention and timely detection of cyberattacks. In the following, we will examine these controls and their significance for detection and prevention in more detail.

• 5.7 “Threat Intelligence” (organizational)
• 8.16 “Activity Monitoring” (technological)
• 8.23 “Web Filtering” (technological)

What is threat intelligence?

Control 5.7 “Threat Intelligence” enables the systematic collection and analysis of information about current and potential threats in order to identify risks at an early stage and develop appropriate protective measures.

Organizational measure 5.7 addresses the systematic collection and analysis of information about relevant threats. The purpose is to raise organizations’ awareness of their own threat landscape so that they can subsequently take appropriate measures to mitigate risks. Threat data should be analyzed in a structured manner according to three aspects: strategic, tactical, and operational.

Strategic threat analysis provides insights into evolving threat landscapes, such as attack methods and the actors involved (state-sponsored actors, cybercriminals, contract attackers, hacktivists, etc.).

National and international government agencies, as well as non-profit organizations and relevant forums, provide well-researched threat intelligence across all industries and critical infrastructures. Examples include

• the BSI – Federal Office for Information Security
• the ENISA – European Union Agency for Cybersecurity, or
• the NIST – National Institute of Standards and Technology

Tactical threat data and its analysis enable assessments of attackers’ methods, tools, and technologies. The operational analysis of specific threats provides detailed information on particular attacks, including technical indicators—such as the current extreme increase in cyberattacks via ransomware and its variants in 2022.

Threat analysis can provide support as follows:

• procedurally, for integrating threat data into the risk management process,
• technically, for prevention and detection, for example by updating firewall rules, intrusion detection systems (IDS), and anti-malware solutions,
• by providing input data for specific testing procedures and techniques related to information security.

The data quality from organizational control 5.7 for determining the threat situation and its analysis directly impacts the two technical measures described below for monitoring activities (8.16) and web filtering (8.23), which have been included in the current guideline ISO/IEC 27002.

What is meant by activity monitoring?

Activity monitoring (Control 8.16) refers to the continuous analysis of system, network, and application behavior to detect deviations (anomalies) in order to identify potential security incidents at an early stage and respond to them.

Detection and corrective information security measure 8.16 for the technical monitoring of activities focuses on anomaly detection as a method of threat mitigation. Networks, systems, and applications behave according to expected patterns, for example regarding data throughput, protocols, messages, and so on. Any change or deviation from these expected patterns is detected as an anomaly.

To detect this unusual behavior, it is necessary to monitor relevant activities in accordance with business and information security requirements and to compare any anomalies with existing threat data, among other things (Control 5.7). The following aspects are relevant for the monitoring system:

• incoming and outgoing network, system, and application traffic
• Access to systems, servers, network equipment, monitoring systems, critical applications, etc.
• System and network configuration files at the administrative or business-critical level
• Logs from security tools—including antivirus, intrusion detection systems (IDS), intrusion prevention systems (IPS), web filters, firewalls, and data exfiltration prevention
• Event logs related to system and network activities
• Verification that executable code within a system is intact and authorized
• Resource usage, such as processor power, hard disk capacity, memory usage, and bandwidth

The basic prerequisites for effective activity monitoring are a cleanly and transparently configured IT/OT infrastructure and flawlessly functioning IT/OT networks. Any deviation from this baseline state is detected as a potential threat to functionality and thus as an anomaly. Depending on the complexity of an infrastructure, implementing this measure remains a major challenge despite relevant vendor solutions.

The importance of anomaly detection systems was recognized by regulators for operators of so-called critical infrastructures almost simultaneously with the implementation of ISO 27001 Measure 8.16. Consequently, within the national scope of relevant legal regulations, these operators are obligated to effectively implement so-called intrusion detection systems with time-based thresholds.

What is web filtering?

Web filtering (Control 8.23) refers to the preventive monitoring and restriction of web access to prevent access to harmful or unwanted online resources and protect systems from malware and other threats.

The internet is both a blessing and a curse. Access to dubious websites remains a gateway for malicious content and malware. Security measure 8.23 aims to proactively protect an organization’s systems from malware intrusion and prevent access to unauthorized web resources.

To this end, organizations should establish rules for the secure and appropriate use of online resources, including mandatory access restrictions to undesirable or inappropriate websites and web-based applications. Access to the following types of websites should be blocked by the company:

• Websites that have a feature for uploading information - unless this is necessary for legitimate business reasons
• Known or suspected malicious websites
• Command-and-control servers
• Malicious websites identified as such based on threat intelligence (see Control 5.7)
• Websites with illegal content

Web filtering measures are only effective with trained staff who are sufficiently aware of the secure and appropriate use of online resources.

Strengthen detection and prevention in a targeted manner

Conclusion

The detection and prevention measures described here enhance security in the management of information security and cybersecurity. They play a key role in defending against organized cybercrime and have rightly been incorporated into the current versions of ISO 27001 and ISO 27002.

By continuously updating and analyzing available threat intelligence, conducting comprehensive activity monitoring within their own IT infrastructures, and securing their systems against suspicious websites, organizations can sustainably strengthen their protection against the intrusion of dangerous malware. Additionally, they position themselves to initiate appropriate response measures at an early stage.

Companies and organizations must now implement the 3 Controls for prevention and detection accordingly and consistently integrate them into their information security management to meet the requirements of future certification audits. For more than 40 years, DQS has possessed comprehensive expertise in the field of impartial audits and certifications - and is happy to support you with your ISO 27001 information security management system.

Trust and Expertise

Our texts and brochures are written exclusively by our standards experts or experienced auditors. If you have any questions for our author regarding the content of the texts or our services, please feel free to send us an email at [email protected].

Note: For the sake of readability, we use the generic masculine form. However, this directive generally includes people of all gender identities, to the extent necessary for the statement.