Event logs are protected from unauthorised changes and losses
Ensure event logs cannot be changed or deleted without authorization.
Plain language
Ensuring event logs are protected from unauthorised changes is crucial because these logs are like a diary of all the important activities and security events happening on your systems. If someone with bad intent changes or deletes these logs without permission, it covers up evidence of malicious activities, making it harder to spot and fix problems before they become bigger issues.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Event logs are protected from unauthorised modification and deletion.
Why it matters
Unauthorised log changes can conceal cyber intrusions, undermine forensic evidence, and delay threat detection, escalating organisational risk.
Operational notes
Ensure logs have strict access controls and immutable storage; routinely monitor and alert on unauthorised attempts to alter or delete log data.
Implementation tips
- The IT team should implement a logging solution that enforces permissions, so only authorised personnel can access and modify logs. This can be achieved by setting up specific user roles and permissions that restrict log access.
- The system administrator should configure log management tools to automatically detect and alert any attempts to alter or delete logs. Implement logging tools that have built-in integrity checks and alerts.
- The security officer should establish a routine for backing up event logs regularly. Ensure backups are stored securely and cannot be tampered with.
- System administrators should regularly audit and review event logs to identify any suspicious activities. Use monitoring tools to flag unusual log-in attempts or activities.
- The IT team should keep software for logging and monitoring up to date to protect against known vulnerabilities. Schedule regular updates and patching routine for all logging systems.
Audit / evidence tips
-
AskHow are event logs protected from unauthorised access and changes?
-
GoodPolicies are in place that strictly define permissions for log access, along with automated alerts for unauthorised access attempts
-
AskHow often are event logs backed up?
-
GoodEvent logs are backed up daily and stored securely, with access logs showing consistent scheduling
-
AskAre there any controls in place to monitor changes to event logs?
-
GoodThe logging system has alert mechanisms for any unauthorised changes and generates regular reports of log integrity checks
Cross-framework mappings
How E8-RA-ML2.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.33 | E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion | |
| Annex A 8.15 | E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion to preserve their integrity and availability | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion to preserve trustworthy evidence of activity | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1624 | ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1985 | E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion | |
| handshake Supports (1) expand_less | ||
| ISM-1910 | ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data | |
| link Related (1) expand_less | ||
| ISM-1815 | ISM-1815 requires event logs to be protected from unauthorised modification and deletion | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.