Privileged access events are centrally logged.
Keep logs of admin actions in a central place to monitor for misuse.
Plain language
Keeping track of what actions administrators take on computer systems is crucial. It's like having a CCTV system for your computer network. Without these records, if someone misuses their high-level access, it would be difficult to catch them or understand what went wrong.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Privileged access events are centrally logged.
Why it matters
Lack of central logs for privileged access can obscure unauthorised activities, risking undetected insider threats and hindering incident investigation.
Operational notes
Forward privileged access logs to a central SIEM, monitor them continuously, and alert on unusual admin actions to enable timely detection and investigation.
Implementation tips
- IT team should set up a central logging system to collect all admin activities by configuring the network to send logs to a secure server.
- System administrators should ensure that all systems are configured to log privileged actions, like changes to system settings, by using the system's built-in logging features.
- Security officers should regularly review these central logs to spot any unusual activities that might indicate misuse, by setting up a schedule for log analysis.
- The IT manager should implement alerts for any known risky activities, such as failed login attempts or changes outside of business hours, by configuring the logging system’s alerting functions.
Audit / evidence tips
-
AskHow are privileged access events logged in your organisation?
-
GoodThe system should automatically log all privileged access events and send them to a secure, central logging system which is regularly reviewed
-
AskWho regularly checks the central logs for unusual activities?
-
GoodThere should be a clear schedule of log reviews, and any findings should be documented and acted upon
Cross-framework mappings
How E8-RA-ML2.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-RA-ML2.6 requires privileged access events to be centrally logged to enable monitoring and investigation of administrative misuse | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | E8-RA-ML2.6 requires privileged access events to be centrally logged to allow oversight and detection of misuse | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| ISM-0670 | ISM-0670 requires security-relevant events for CDSs to be centrally logged | |
| ISM-1613 | E8-RA-ML2.6 requires organisations to centrally log privileged access events to support detection of misuse | |
| ISM-1650 | E8-RA-ML2.6 requires central logging of privileged access events across the environment to enable monitoring for misuse | |
| ISM-1830 | ISM-1830 requires security-relevant events for Microsoft AD DS domain controllers, AD CS CA servers, AD FS servers and Microsoft Entra Co... | |
| sync_alt Partially overlaps (8) expand_less | ||
| ISM-0582 | ISM-0582 requires that security-relevant events for Microsoft Windows operating systems are centrally logged | |
| ISM-0585 | ISM-0585 requires consistent per-event fields such as who/what initiated an action, when it occurred, and which system and object were in... | |
| ISM-1537 | ISM-1537 requires organisations to centrally log security-relevant database events, including privileged user activity such as DBA action... | |
| ISM-1607 | ISM-1607 mandates integrity monitoring and centralised event logging for isolation mechanisms and host OS on shared servers | |
| ISM-1895 | ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events | |
| ISM-1976 | ISM-1976 requires central logging of security-relevant events on macOS endpoints | |
| ISM-1977 | E8-RA-ML2.6 requires privileged access events to be centrally logged to detect and investigate misuse of elevated access | |
| ISM-1989 | ISM-1989 requires event logs to be retained according to AFDA Express minimum retention requirements | |
| handshake Supports (3) expand_less | ||
| ISM-0415 | E8-RA-ML2.6 requires privileged access events to be centrally logged to detect misuse and support attribution | |
| ISM-0580 | E8-RA-ML2.6 requires privileged access events to be centrally logged as an operational control to enable monitoring and detection | |
| ISM-1983 | ISM-1983 requires event logs to be sent to a centralised event logging facility as soon as possible after they occur | |
| link Related (1) expand_less | ||
| ISM-1509 | E8-RA-ML2.6 requires that privileged access events are centrally logged so privileged activity can be monitored for misuse | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.