Event logs are protected from unauthorised modification and deletion
Ensure that event logs are secure from being changed or deleted by unauthorized users.
Plain language
Event logs are like security cameras for your computer systems. They record what's happening in the background, which can help investigate suspicious activity. If someone unauthorised could change or delete these logs, you might miss signs of a cyber attack or data breach.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Event logs are protected from unauthorised modification and deletion.
Why it matters
If unauthorised changes or deletions occur, critical security events can be concealed, making it challenging to detect breaches or understand attack paths.
Operational notes
Restrict log access, use append-only or immutable storage, and monitor for deletions/changes to preserve integrity for investigations and audit.
Implementation tips
- The IT team should restrict access to event logs to authorised personnel only by setting strict user permissions.
- The system administrator should use security software to monitor event logs and alert the team if any unauthorised changes are detected.
- The security officer should ensure logs are backed up regularly, so if they are tampered with, there is always a copy to review.
- The IT team should implement logging systems that can separate and protect the event logs from regular system access, ensuring they cannot be easily modified.
- The system administrator should regularly review user permissions and modify them if necessary to ensure only trusted personnel have access to the logs.
Audit / evidence tips
-
AskWho has access to modify or delete event logs on your systems?
-
GoodOnly specific IT personnel have access, and access control settings are regularly reviewed and updated
-
AskHow are event logs monitored for unauthorised changes?
-
GoodThe logs are consistently monitored, and any unauthorised access attempts are logged and investigated immediately
Cross-framework mappings
How E8-AC-ML2.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-AC-ML2.6 requires event logs to be protected from unauthorised modification and deletion to preserve their integrity and availability ... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1624 | ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1976 | ISM-1976 requires central logging of macOS security events | |
| ISM-1985 | E8-AC-ML2.6 requires event logs to be protected from unauthorised modification and deletion, focusing on preventing tampering and removal | |
| ISM-2046 | ISM-2046 requires that where user impersonation is possible, sensitive data must not be logged and log permissions are set appropriately | |
| ISM-2052 | ISM-2052 requires that event logs produced by software protect any sensitive data contained within them | |
| handshake Supports (9) expand_less | ||
| ISM-0580 | E8-AC-ML2.6 requires organisations to ensure event logs cannot be modified or deleted by unauthorised users | |
| ISM-0582 | E8-AC-ML2.6 requires event logs to be protected from unauthorised modification and deletion | |
| ISM-0585 | ISM-0585 requires that event logs capture key fields to support attribution and investigation | |
| ISM-0634 | E8-AC-ML2.6 requires that event logs are protected from unauthorised modification and deletion | |
| ISM-1405 | E8-AC-ML2.6 requires event logs to be protected from unauthorised modification and deletion | |
| ISM-1660 | ISM-1660 requires central logging of allowed and blocked application control events so they are available for monitoring and investigation | |
| ISM-1910 | ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data | |
| ISM-1989 | ISM-1989 requires event logs to be retained in accordance with AFDA Express minimum retention requirements | |
| ISM-2015 | ISM-2015 requires central logging of non-internet network API calls that modify data or access non-public data | |
| extension Depends on (1) expand_less | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have access to sufficient data sources and tools so systems can be monitored for indicators... | |
| link Related (1) expand_less | ||
| ISM-1815 | ISM-1815 requires event logs to be protected from unauthorised modification and deletion | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.