ISM-0580 policy ASD Information Security Manual (ISM)

Develop and Maintain Event Logging Policies

Ensure a policy is in place to record and monitor events.

Proactive NC OS P ASD Information Security ManualGuidelines for system monitoring policy logging audit trail

record_voice_over

Plain language

Having a policy to log and monitor events means you'd keep a record of important actions that happen on your computer systems. This is crucial because without such records, if something goes wrong—like data being stolen—you won't know how it happened or how to fix it.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Proactive

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2022

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Event Logging Policy

Official control statement

An event logging policy is developed, implemented and maintained.

policy ASD Information Security Manual (ISM) ISM-0580

priority_high

Why it matters

Without an event logging policy, key events may not be captured or retained, reducing detection capability and hindering timely investigation and incident response.

settings

Operational notes

Maintain an event logging policy defining what to log, roles, review cadence, alerting and retention; periodically validate coverage and update for system changes.

02 — Implement

build

Implementation tips

The business owner should work with an IT consultant to develop a clear policy on what events need logging. This means deciding which actions or system changes should be recorded, like logins or data changes.
The IT team should implement the logging policy using available tools. They can start by configuring software to automatically record the specified actions and ensure logs are stored securely.
Managers should oversee that staff are trained to follow the logging policy. This includes briefing employees on what actions are being logged and why it's essential for the business.
The IT team should regularly review and update the logging tools and policies as the business changes. They can do this by scheduling bi-annual checks and updating logs as new threats and systems are identified.
Managers should ensure there is a process for regular reviews of these logs to look for unusual activity. Appoint a trusted staff member to check logs weekly and report any anomalies promptly.

03 — Audit

fact_check

Audit / evidence tips

Askthe most recent version of the event logging policy document

Gooda dated document with a list of events, update history, and responsible persons for each section
Askthe staff training records related to event logging policies

Goodwill be recent training completion records for all relevant staff
Aska demonstration of the logging tool in use
Askmaintenance records of the logging system
Aska report of the last log review meeting

04 — Mappings

link

Cross-framework mappings

How ISM-0580 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
sync_alt Partially overlaps (2) expand_less
Annex A 5.28	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
Annex A 8.15	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored

E8

Control	Notes	Details
handshake Supports (10) expand_less

E8-AC-ML2.5	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
E8-AC-ML2.6	E8-AC-ML2.6 requires organisations to ensure event logs cannot be modified or deleted by unauthorised users
E8-AC-ML2.7	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored

E8-AH-ML2.11	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
E8-AH-ML2.12	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
E8-AH-ML2.14	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored

E8-MF-ML2.7	E8-MF-ML2.7 requires event logs to be protected from unauthorised modification and deletion through appropriate technical and administrat...
E8-MF-ML2.8	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored

E8-RA-ML2.6	E8-RA-ML2.6 requires privileged access events to be centrally logged as an operational control to enable monitoring and detection
E8-RA-ML2.9	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
extension Depends on (4) expand_less

E8-AC-ML3.4	E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events

E8-AH-ML3.5	E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events

E8-MF-ML2.6	E8-MF-ML2.6 requires central logging of MFA success and failure events

E8-RA-ML2.7	E8-RA-ML2.7 requires privileged account and group management events to be centrally logged

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.