Centrally log privileged account and group management events
Ensure logs of admin account and group changes are stored in one place.
Plain language
Imagine all the important door keys in your business on one keychain. If you lose that keychain, someone could access everything. Similarly, if changes to your admin accounts aren't logged in one central place and someone gets into those accounts, it could mean trouble. Logging these changes helps you track and respond quickly to anything suspicious.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Privileged account and group management events are centrally logged.
Why it matters
Without central logging, unauthorised privileged account or group changes can go undetected, enabling persistence, fraud or sabotage.
Operational notes
Centrally collect admin account/group change events and alert on unexpected adds/removes to privileged groups and sudden privilege grants.
Implementation tips
- The IT team should set up a central logging system. Do this by configuring all servers and devices to send their logs of admin account and group changes to one secure location.
- System administrators need to ensure logging is enabled on all systems. Check that every system is configured to record changes to who has admin access.
- Security officers should review the central logs regularly. Schedule weekly checks to look for unusual changes or patterns in admin account activities.
- The IT manager should implement access controls on the logging system. Only authorised personnel should have access, ensuring the logs themselves are protected against tampering.
- IT staff should back up logs regularly. Create an automated system that backs up logs daily to prevent loss of data due to system failures.
Audit / evidence tips
-
AskHow do you ensure that all admin account changes are logged centrally?
-
GoodAll systems are set up to automatically send logs of admin changes to a secure, central logging solution
-
AskWho reviews the central logs and how often?
-
GoodThe security officer reviews logs weekly, with documented notes on any anomalies and actions taken
Cross-framework mappings
How E8-RA-ML2.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| handshake Supports (2) expand_less | ||
| Annex A 5.28 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
| Annex A 8.17 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1509 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
| sync_alt Partially overlaps (7) expand_less | ||
| ISM-0585 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| ISM-1537 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| ISM-1613 | ISM-1613 requires that use of break glass accounts is centrally logged | |
| ISM-1620 | ISM-1620 requires privileged user accounts to be members of the AD Protected Users group to strengthen protection of privileged identities | |
| ISM-1623 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged for visibility of administrative changes | |
| ISM-1976 | ISM-1976 requires central logging of security-relevant events on macOS systems | |
| ISM-1977 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| handshake Supports (5) expand_less | ||
| ISM-0988 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
| ISM-1614 | ISM-1614 requires break glass account credentials to be changed after they are accessed by another party | |
| ISM-1939 | ISM-1939 requires minimising membership of highly privileged security groups such as Domain Admins and Enterprise Admins | |
| ISM-1941 | ISM-1941 requires that computer accounts are not placed into highly privileged AD security groups (e.g | |
| ISM-1953 | ISM-1953 focuses on ensuring the built-in domain Administrator credentials are strong (long, unique, unpredictable) and properly managed | |
| extension Depends on (2) expand_less | ||
| ISM-0580 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
| ISM-1405 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
| link Related (1) expand_less | ||
| ISM-1650 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.