Contents
- 0.1 What SOC Teams Actually Own in ISO 27001:2022
- 0.2 🔹 Threat Detection (A.8.12, A.8.13)
- 0.3 🔹 Incident Response (part of Clauses 8–10)
- 0.4 🔹 Threat Intelligence (A.5.7)
- 0.5 🔹 Access & Identity Monitoring (A.8.3, A.8.4, A.8.2)
- 0.6 🔹 Cloud Monitoring (A.8.26)
- 0.7 🔹 Vulnerability & Exploit Monitoring (A.8.7)
- 0.8 🔹 Logging & Time Sync (A.8.12, A.8.14)
- 1 2. Interview Answer Framework: “How does a SOC support ISO 27001?”
- 2 3. SOC-Focused Control Breakdown (Interview Format)
- 3 A.5.7 – Threat Intelligence
- 4 A.8.12 – Logging
- 5 A.8.13 – Monitoring Activities
- 6 A.8.14 – Clock Synchronisation
- 7 A.8.2 – Privileged Access Monitoring
- 8 A.8.4 – Secure Authentication Monitoring
- 9 A.8.6 – Malware Protection
- 10 A.8.7 – Technical Vulnerability Management
- 11 A.8.20 – Network Security Monitoring
- 12 A.8.23 – Cloud Services Monitoring
- 13 A.8.24 – Backup & Recovery
- 14 A.8.27 – Hardening
- 15 A.8.28 – Vulnerability Scanning (SOC View)
- 16 A.8.29 – Test Data (Monitoring Angle)
- 17 A.8.30 – Secure Disposal of Cloud Artefacts
- 18 4. Interview Power Answers
What SOC Teams Actually Own in ISO 27001:2022
A SOC is primarily responsible for:
🔹 Threat Detection (A.8.12, A.8.13)
- Log ingestion
- Alerting
- Correlation rules
- Behaviour analytics
- Investigations
🔹 Incident Response (part of Clauses 8–10)
- Initial triage
- Containment recommendations
- Escalation
- Evidence preservation
- Post-incident improvement
🔹 Threat Intelligence (A.5.7)
- IOC enrichment
- Tracking campaign patterns
- Building new detections based on TTPs
🔹 Access & Identity Monitoring (A.8.3, A.8.4, A.8.2)
- MFA bypass attempts
- Privilege escalation
- Impossible travel
- Abnormal IAM events
🔹 Cloud Monitoring (A.8.26)
- CloudTrail, Azure Activity, GCP Audit logs
- Role assumption anomalies
- Public bucket exposure
- Privilege misconfigurations
🔹 Vulnerability & Exploit Monitoring (A.8.7)
- Tracking exploit attempts
- Watching for mass scanning
- Monitoring patch failures
🔹 Logging & Time Sync (A.8.12, A.8.14)
- Ensuring required logs exist
- Ensuring clocks are aligned
- Ensuring logs are tamper-evident
These are all SOC-owned, SOC-driven, and SOC-influenced.
2. Interview Answer Framework: “How does a SOC support ISO 27001?”
Use the below polished answer—it’s senior-level and hits every point:
💬 Interview-Ready Answer
*”In ISO 27001, the SOC underpins the technological controls in Annex A, especially around monitoring, logging, identity security, threat intelligence, and incident response. Our job is to make sure appropriate telemetry is collected across endpoints, identity providers, cloud platforms, and network layers.
We build and tune detections to align with the organisation’s risk profile, threat intelligence, and business processes. We ensure logging integrity, timestamp alignment, and visibility gaps are closed.
During incidents, we provide triage, containment recommendations, and evidence for Clause 10 improvement processes. We report metrics into Clause 9 performance evaluations, helping leadership understand threat trends, risk reduction, and detection maturity.
In short, the SOC is the engine room that makes ISO 27001’s monitoring and detection controls real, measurable, and defensible to auditors.”*
3. SOC-Focused Control Breakdown (Interview Format)
Each section has:
- What the control is
- What a SOC does
- A strong interview soundbite
A.5.7 – Threat Intelligence
SOC responsibility:
- Consume TI
- Enrich alerts
- Build new detections
- Monitor emerging CVEs
- Track TTPs (MITRE ATT&CK)
Interview soundbite:
“We operationalise threat intelligence by folding IOCs and TTPs into SIEM correlation rules, triaging MDR intelligence, and updating detections based on emerging threats.”
A.8.12 – Logging
SOC responsibility:
- Ensure required logs exist (IAM, EDR, network, cloud)
- Validate completeness, retention, timestamping
- Gap analysis
Interview soundbite:
“My role is ensuring full telemetry coverage across cloud, endpoint, identity, and network layers so the SOC has situational awareness.”
A.8.13 – Monitoring Activities
SOC responsibility:
- Create detection rules
- Tune alerts
- Build dashboards
- Maintain detection catalogue
- Perform continuous improvement
Interview soundbite:
“Monitoring is only effective when alerts are relevant. I reduce false positives by mapping detections to real attacker behaviour, not just raw events.”
A.8.14 – Clock Synchronisation
SOC responsibility:
- Detective control validation
- Ensuring consistent timestamps for investigations
- Spotting time drift in logs
Interview soundbite:
“Correct timestamping is fundamental. If logs are out of sync, investigations break, correlations fail, and alerts misfire.”
A.8.2 – Privileged Access Monitoring
SOC responsibility:
- Monitor admin account activity
- Alert on privilege escalation
- Detect unusual usage of service accounts
- Ensure JIT privilege access is monitored
Interview soundbite:
“Privileged accounts are the keys to the kingdom. Our SOC monitors role escalations, strange logins, and admin behaviour deviations.”
A.8.4 – Secure Authentication Monitoring
SOC responsibility:
- Detect MFA fatigue attacks
- Impossible travel
- Password spray
- Legacy auth attempts
- Conditional access bypass attempts
Interview soundbite:
“Identity is the new perimeter. Our SOC monitors authentication misuse, MFA attacks, and abnormal identity patterns.”
A.8.6 – Malware Protection
SOC responsibility:
- Alert triage from EDR
- Detect ransomware behaviours
- Monitor blocked scripts
- Identify early-stage malware execution
Interview soundbite:
“EDR telemetry is often the earliest indicator of compromise. I monitor script engines, process injection, and suspicious parent-child process chains.”
A.8.7 – Technical Vulnerability Management
SOC responsibility:
- Correlate exploit attempts with known vulnerabilities
- Alert if exploit attempts succeed
- Monitor internet-facing systems for reconnaissance
- Validate patching from a detection perspective
Interview soundbite:
“My role is to monitor exploitation attempts in real time and validate whether vulnerability management is effective from a telemetry perspective.”
A.8.20 – Network Security Monitoring
SOC responsibility:
- IDS/IPS monitoring
- Detect lateral movement
- Monitor beaconing/outbound anomalies
- DNS filtering visibility
Interview soundbite:
“I monitor for lateral movement, C2 beaconing, and suspicious east-west traffic—especially in hybrid and cloud environments.”
A.8.23 – Cloud Services Monitoring
SOC responsibility:
- CloudTrail / Azure Activity ingestion
- Detection for risky resource changes
- Alerting on new public buckets, IAM privilege changes
- Monitoring serverless, containers, and IAM roles
Interview soundbite:
“Cloud introduces identity-heavy attack paths. I monitor role assumptions, API anomalies, and resource exposures across multi-cloud workloads.”
A.8.24 – Backup & Recovery
SOC responsibility:
- Detect backup tampering
- Monitor deletion of snapshots
- Detect ransomware targeting backup infrastructure
- Ensure logs from backup platforms are ingested
Interview soundbite:
“Ransomware groups now target backups. Monitoring backup integrity and deletion events is critical to resilience.”
A.8.27 – Hardening
SOC responsibility:
- Detection rules to find deviation from hardening
- Monitoring for disabled controls (AV off, logging off, firewall off)
- Validate baseline through telemetry
Interview soundbite:
“Hardening is a preventative control, but the SOC validates it works by detecting deviations and configuration drift.”
A.8.28 – Vulnerability Scanning (SOC View)
SOC responsibility:
- Correlate scans with exploit telemetry
- Alert on vulnerable high-value assets
- Detect exploitation attempts in logs
Interview soundbite:
“Patching alone isn’t enough—SOC must validate that exploitation attempts are caught or blocked.”
A.8.29 – Test Data (Monitoring Angle)
SOC responsibility:
- Detect production data appearing in dev/test
- Monitor unusual data transfers
- Trigger alerts for DLP violations
Interview soundbite:
“Even masked data can be sensitive. I monitor for unauthorised data movement and DLP violations.”
A.8.30 – Secure Disposal of Cloud Artefacts
SOC responsibility:
- Monitor deletion of logs, snapshots, images
- Alert on suspicious teardown activity
- Track potential cover-up behaviours
Interview soundbite:
“Unexpected deletion of cloud snapshots or logs can indicate an attacker covering their tracks—SOC must alert immediately.”
4. Interview Power Answers
These are high-impact responses you can use word-for-word.
Q: How does ISO 27001 change the SOC’s responsibilities?
Answer:
“ISO 27001 formalises what a mature SOC already does—visibility, logging, monitoring, threat intel, incident response, and continuous improvement. It ensures we monitor the right controls, have audit-ready evidence, and align detections to real business risks.”
Q: What’s the most important ISO 27001 control for SOC?
Answer:
“A.8.13 Monitoring Activities. It’s the beating heart of SOC. Everything else—logging, identity, cloud, malware—feeds into effective monitoring.”
Q: How do you align SOC detections with ISO 27001?
Answer:
“I map detections to controls and MITRE ATT&CK, ensuring every required control has associated alert coverage. This highlights blind spots and drives detection engineering priorities.”
Q: How do you prove SOC effectiveness to an ISO auditor?
Answer:
“With evidence: SIEM dashboards, alert runbooks, detection coverage reports, incident handling timelines, and screenshots of logging configurations. ISO wants proof, not theory.”