Protect event logs from unauthorized changes
Ensure event logs cannot be changed or deleted without permission.
Plain language
Protecting event logs from unauthorised changes is like keeping a secure diary of everything that happens on your computer systems. If someone can erase or change the logs, you may never know if something bad, like a cyber attack, happened. This control ensures you have a reliable record to look back on if something goes wrong.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Event logs are protected from unauthorised modification and deletion.
Why it matters
Unauthorised log changes can conceal security breaches, hindering forensic investigations and enabling ongoing attacks without detection.
Operational notes
Regularly audit event log integrity and alert on unauthorised modification or deletion attempts to maintain accountability and support investigations.
Implementation tips
- The IT team should ensure that event logs are stored in a secure location. This can be done by configuring logs to be automatically copied or sent to a separate, secured server.
- System administrators should set permissions so only authorised personnel can access or alter the event logs. Use built-in tools like Group Policy settings to restrict access.
- The security officer should regularly review access permissions to ensure they are up-to-date and only appropriate personnel have access.
- The IT team should implement regular backups of event logs. This can be done by scheduling automatic backups at specified intervals to avoid data loss.
- System administrators should enable audit logging to track who accesses or modifies event logs. This involves setting up monitoring systems to alert the team of any unauthorized access attempts.
Audit / evidence tips
-
AskHow do you ensure event logs cannot be changed without permission?
-
GoodSpecific access permissions restrict log modifications to authorized IT personnel only
-
AskHow is the integrity of event logs maintained over time?
-
GoodRegular, automated backups occur and are logged, ensuring logs are preserved even if accidental deletions occur
Cross-framework mappings
How E8-MF-ML2.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-MF-ML2.7 requires that event logs cannot be unauthorisedly modified or deleted, focusing on log integrity protections | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1830 | ISM-1830 requires security-relevant events for Microsoft AD DS, AD CS, AD FS and Entra Connect servers to be centrally logged | |
| handshake Supports (6) expand_less | ||
| ISM-0580 | E8-MF-ML2.7 requires event logs to be protected from unauthorised modification and deletion through appropriate technical and administrat... | |
| ISM-1624 | E8-MF-ML2.7 requires event logs to be protected from unauthorised modification and deletion | |
| ISM-1855 | ISM-1855 requires organisations to centrally log MFD printing, scanning and copying activity, including shadow copies of documents | |
| ISM-1910 | ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data | |
| ISM-1989 | ISM-1989 requires retention of event logs in line with AFDA Express minimum retention requirements | |
| ISM-2015 | ISM-2015 requires central logging of non-internet network API calls involving data modification or access to non-public data | |
| extension Depends on (1) expand_less | ||
| ISM-1607 | ISM-1607 requires monitoring and central logging for shared servers using software isolation | |
| link Related (1) expand_less | ||
| ISM-1815 | E8-MF-ML2.7 requires that event logs are protected from unauthorised modification and deletion | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.