Centrally log privileged account and group management events
Ensure logs of admin account and group changes are stored in one place.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Detective
🛠️ E8 mitigation strategy
Restrict administrative privileges
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Privileged account and group management events are centrally logged.
Source: ASD Essential Eight
Plain language
Imagine all the important door keys in your business on one keychain. If you lose that keychain, someone could access everything. Similarly, if changes to your admin accounts aren't logged in one central place and someone gets into those accounts, it could mean trouble. Logging these changes helps you track and respond quickly to anything suspicious.
Why it matters
Without central logging, unauthorised privileged account or group changes can go undetected, enabling persistence, fraud or sabotage.
Operational notes
Centrally collect admin account/group change events and alert on unexpected adds/removes to privileged groups and sudden privilege grants.
Implementation tips
- The IT team should set up a central logging system. Do this by configuring all servers and devices to send their logs of admin account and group changes to one secure location.
- System administrators need to ensure logging is enabled on all systems. Check that every system is configured to record changes to who has admin access.
- Security officers should review the central logs regularly. Schedule weekly checks to look for unusual changes or patterns in admin account activities.
- The IT manager should implement access controls on the logging system. Only authorised personnel should have access, ensuring the logs themselves are protected against tampering.
- IT staff should back up logs regularly. Create an automated system that backs up logs daily to prevent loss of data due to system failures.
Audit / evidence tips
-
Ask: How do you ensure that all admin account changes are logged centrally?
-
Good: All systems are set up to automatically send logs of admin changes to a secure, central logging solution
-
Ask: Who reviews the central logs and how often?
-
Good: The security officer reviews logs weekly, with documented notes on any anomalies and actions taken
Cross-framework mappings
How E8-RA-ML2.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.15 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| Supports (1) | ||
| Annex A 5.28 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-1509 | E8-RA-ML2.7 requires central logging specifically for privileged account and group management events (e.g | |
| Partially overlaps (7) | ||
| ISM-0585 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| ISM-1537 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| ISM-1613 | ISM-1613 requires that use of break glass accounts is centrally logged | |
| ISM-1620 | ISM-1620 requires privileged user accounts to be members of the AD Protected Users group to strengthen protection of privileged identities | |
| ISM-1623 | E8-RA-ML2.7 requires privileged account and group management events to be centrally logged for visibility of administrative changes | |
| ISM-1976 | ISM-1976 requires central logging of security-relevant events on macOS systems | |
| ISM-1977 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| Supports (5) | ||
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-1614 | ISM-1614 requires break glass account credentials to be changed after they are accessed by another party | |
| ISM-1939 | ISM-1939 requires minimising membership of highly privileged security groups such as Domain Admins and Enterprise Admins | |
| ISM-1941 | ISM-1941 requires that computer accounts are not placed into highly privileged AD security groups (e.g | |
| ISM-1953 | ISM-1953 focuses on ensuring the built-in domain Administrator credentials are strong (long, unique, unpredictable) and properly managed | |
| Depends on (1) | ||
| ISM-1405 | E8-RA-ML2.7 requires organisations to centrally log privileged account and group management events | |
| Related (1) | ||
| ISM-1650 | ISM-1650 requires privileged user account and security group management events to be centrally logged | |