E8-RA-ML2.8 bolt ASD Essential Eight

Event logs are protected from unauthorised changes and losses

Ensure event logs cannot be changed or deleted without authorisation.

Preventative ML2 Essential EightRestrict admin privileges logging backup

record_voice_over

Plain language

Ensuring event logs are protected from unauthorised changes is crucial because these logs are like a diary of all the important activities and security events happening on your systems. If someone with bad intent changes or deletes these logs without permission, it covers up evidence of malicious activities, making it harder to spot and fix problems before they become bigger issues.

01 - Overview

Framework

ASD Essential Eight

Control effect

Preventative

E8 mitigation strategy

Restrict administrative privileges

Classifications

N/A

Official last update

N/A

Control Stack last updated

18 May 2026

E8 maturity levels

ML2

Official control statement

Event logs are protected from unauthorised modification and deletion.

bolt ASD Essential Eight E8-RA-ML2.8

priority_high

Why it matters

Unauthorised log changes can conceal cyber intrusions, undermine forensic evidence, and delay threat detection, escalating organisational risk.

settings

Operational notes

Ensure logs have strict access controls and immutable storage; routinely monitor and alert on unauthorised attempts to alter or delete log data.

02 - Implement

build

Implementation tips

The IT team should implement a logging solution that enforces permissions, so only authorised personnel can access and modify logs. This can be achieved by setting up specific user roles and permissions that restrict log access.
The system administrator should configure log management tools to automatically detect and alert any attempts to alter or delete logs. Implement logging tools that have built-in integrity checks and alerts.
The security officer should establish a routine for backing up event logs regularly. Ensure backups are stored securely and cannot be tampered with.
System administrators should regularly audit and review event logs to identify any suspicious activities. Use monitoring tools to flag unusual log-in attempts or activities.
The IT team should keep software for logging and monitoring up to date to protect against known vulnerabilities. Schedule regular updates and patching routine for all logging systems.

03 - Audit

fact_check

Audit / evidence tips

AskHow are event logs protected from unauthorised access and changes?
GoodPolicies are in place that strictly define permissions for log access, along with automated alerts for unauthorised access attempts
AskHow often are event logs backed up?
GoodEvent logs are backed up daily and stored securely, with access logs showing consistent scheduling
AskAre there any controls in place to monitor changes to event logs?
GoodThe logging system has alert mechanisms for any unauthorised changes and generates regular reports of log integrity checks

04 - Mappings

link

Cross-framework mappings

How E8-RA-ML2.8 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 5.33	E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion
Annex A 8.15	E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion to preserve their integrity and availability
handshake Supports (1) expand_less
Annex A 5.28	E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion to preserve trustworthy evidence of activity

ASD ISM

Control	Notes	Details
layers Partially meets (1) expand_less
ISM-1624	ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality
sync_alt Partially overlaps (1) expand_less
ISM-1985	E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion
handshake Supports (1) expand_less
ISM-1910	ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data
link Related (1) expand_less
ISM-1815	ISM-1815 requires event logs to be protected from unauthorised modification and deletion

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.