Protect event logs from unauthorized changes or deletion
Ensure event logs cannot be tampered with or erased without permission.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Application hardening
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML2
Event logs are protected from unauthorized modification and deletion.
Source: ASD Essential Eight
Plain language
This control is about making sure that important computer records, known as event logs, can’t be changed or erased without the right permissions. Without this protection, someone with bad intentions could hide their tracks after doing something harmful to a computer system.
Why it matters
If event logs can be altered or deleted without detection, attackers can hide malicious activity, undermining forensic investigations and accountability for incidents.
Operational notes
Store logs on WORM or immutable storage and restrict log admin access; enable auditing/alerting on log changes to prevent unauthorised modification or deletion.
Implementation tips
- System administrators should ensure event logs are stored in a secure location. This can be done by configuring the system to save logs on a separate, protected server.
- The IT security team should set up access controls on the event log files. They can do this by restricting permissions so that only authorised personnel can make changes.
- System administrators should regularly back up event logs. Use automated backup tools to schedule and store backups safely.
- Security officers should implement log monitoring. Set up alerts for any changes to the logs, which can be achieved through monitoring software.
- The IT team should enable 'audit log integrity' features when available. This will add an extra layer of protection by ensuring log files are not tampered with.
Audit / evidence tips
-
Ask: How do you ensure the event logs are protected from unauthorised changes?
-
Good: Access controls are in place, limiting changes to authorised personnel only
-
Ask: How do you make sure that event logs are regularly backed up?
-
Good: Automated backups are set up to occur nightly, stored securely
Cross-framework mappings
How E8-AH-ML2.13 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.33 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion to preserve their integrity for detection an... | |
| Annex A 8.15 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion | |
| Supports (1) | ||
| Annex A 5.28 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion so they remain trustworthy | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| ISM-1624 | ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality | |
| ISM-1985 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion | |
| Partially overlaps (1) | ||
| ISM-0582 | ISM-0582 requires central logging of security-relevant events for Windows | |
| Supports (3) | ||
| ISM-0138 | E8-AH-ML2.13 requires protecting event logs from unauthorised modification and deletion, helping ensure logs can be relied on during inci... | |
| ISM-1910 | ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data | |
| ISM-1989 | ISM-1989 requires event logs to be retained for minimum periods as set out in AFDA Express | |
| Depends on (2) | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have access to sufficient data sources and tools for monitoring indicators of compromise | |
| ISM-1509 | ISM-1509 requires privileged access events to be centrally logged so they can be monitored and relied upon during investigations | |
| Related (1) | ||
| ISM-1815 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion to prevent tampering | |