Privileged access events are centrally logged.
Keep logs of admin actions in a central place to monitor for misuse.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Detective
🛠️ E8 mitigation strategy
Restrict administrative privileges
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Privileged access events are centrally logged.
Source: ASD Essential Eight
Plain language
Keeping track of what actions administrators take on computer systems is crucial. It's like having a CCTV system for your computer network. Without these records, if someone misuses their high-level access, it would be difficult to catch them or understand what went wrong.
Why it matters
Lack of central logs for privileged access can obscure unauthorised activities, risking undetected insider threats and hindering incident investigation.
Operational notes
Forward privileged access logs to a central SIEM, monitor them continuously, and alert on unusual admin actions to enable timely detection and investigation.
Implementation tips
- IT team should set up a central logging system to collect all admin activities by configuring the network to send logs to a secure server.
- System administrators should ensure that all systems are configured to log privileged actions, like changes to system settings, by using the system's built-in logging features.
- Security officers should regularly review these central logs to spot any unusual activities that might indicate misuse, by setting up a schedule for log analysis.
- The IT manager should implement alerts for any known risky activities, such as failed login attempts or changes outside of business hours, by configuring the logging system’s alerting functions.
Audit / evidence tips
-
Ask: How are privileged access events logged in your organisation?
-
Good: The system should automatically log all privileged access events and send them to a secure, central logging system which is regularly reviewed
-
Ask: Who regularly checks the central logs for unusual activities?
-
Good: There should be a clear schedule of log reviews, and any findings should be documented and acted upon
Cross-framework mappings
How E8-RA-ML2.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.15 | E8-RA-ML2.6 requires a specific logging outcome: privileged access events are centrally logged for monitoring | |
| Supports (1) | ||
| Annex A 8.16 | E8-RA-ML2.6 requires privileged access events to be centrally logged to allow oversight and detection of misuse | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| ISM-0670 | ISM-0670 requires security-relevant events for CDSs to be centrally logged | |
| ISM-1650 | ISM-1650 requires privileged user account and security group management events to be centrally logged | |
| ISM-1830 | ISM-1830 requires security-relevant events for Microsoft AD DS domain controllers, AD CS CA servers, AD FS servers and Microsoft Entra Co... | |
| Partially overlaps (9) | ||
| ISM-0582 | ISM-0582 requires that security-relevant events for Microsoft Windows operating systems are centrally logged | |
| ISM-0585 | ISM-0585 requires consistent per-event fields such as who/what initiated an action, when it occurred, and which system and object were in... | |
| ISM-1537 | ISM-1537 requires organisations to centrally log security-relevant database events, including privileged user activity such as DBA action... | |
| ISM-1607 | ISM-1607 mandates integrity monitoring and centralised event logging for isolation mechanisms and host OS on shared servers | |
| ISM-1613 | E8-RA-ML2.6 requires privileged access events to be centrally logged to enable oversight of administrative activity | |
| ISM-1895 | ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events | |
| ISM-1976 | ISM-1976 requires central logging of security-relevant events on macOS endpoints | |
| ISM-1977 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| ISM-1989 | ISM-1989 requires event logs to be retained according to AFDA Express minimum retention requirements | |
| Supports (1) | ||
| ISM-1983 | ISM-1983 requires event logs to be sent to a centralised event logging facility as soon as possible after they occur | |
| Depends on (1) | ||
| ISM-0580 | E8-RA-ML2.6 requires organisations to centrally log privileged access events to enable monitoring and detection of misuse | |
| Related (1) | ||
| ISM-1509 | E8-RA-ML2.6 requires privileged access events to be centrally logged to enable monitoring for misuse | |