Capture Detailed Information in Event Logs
Record details like time, user, and equipment for each logged event.
Plain language
This control is about keeping a detailed record every time something significant happens in your computer systems. It includes noting the time, who was involved, and the equipment used. If we don't do this, it would be really hard to figure out what went wrong in case of a cyber attack or technical issue, and we might not know how to stop it from happening again.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log DetailsOfficial control statement
For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the information technology equipment involved are captured.
Why it matters
If event logs lack key fields (time, user/process, filename and device), investigations take longer, root cause may be missed, and incident impact increases.
Operational notes
Audit log configurations to ensure each record includes date/time, user or process, filename, event description and the IT equipment identifier; alert on missing fields.
Implementation tips
- IT team should make sure that all systems are set up to automatically log key events. They can do this by configuring the system settings to capture details like when and what happens, who is involved, and which computer or equipment is used.
- Managers should work with the IT team to identify key events that need to be logged. To do this, they can sit down and list out typical activities and incidents that must be tracked, and how these logs will help in solving problems later.
- HR should communicate with staff about the importance of keeping accurate records for logged events. This could involve sending newsletters or holding brief training sessions to explain why this is important and what they need to do to help.
- System owners should periodically review logs to ensure all necessary information is being recorded correctly. They can set up monthly checks where they randomly select log entries to review and confirm all required details like time, user, and equipment are captured.
- Procurement teams should ensure that any new software or technology being purchased supports detailed event logging. Before buying, they can ask vendors for assurance that their products include these features and can be configured to meet these needs.
Audit / evidence tips
-
Askthe event log reports over the past six months
Goodwill show logs with all these details consistently recorded
-
Gooddemonstration will show these settings active and properly configured
-
Askto see any policy or guideline documents related to event logging
Goodwill include a document outlining the logging process and responsibilities
-
Goodwill show regular training sessions attended by relevant staff
-
Askevidence of regular log reviews by system owners
Goodis a record showing regular checks with follow-up actions where necessary
Cross-framework mappings
How ISM-0585 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-0585 requires each logged event to capture specific fields (date/time, user or process, filename, description, and the IT equipment i... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.28 | ISM-0585 requires log entries to include attribution and object/asset context (who/what, when, what file, what system, and a description) | |
| Annex A 8.16 | ISM-0585 requires log entries to include sufficient detail (time, user/process, filename where relevant, event description, and equipment... | |
| extension Depends on (1) expand_less | ||
| Annex A 8.17 | ISM-0585 requires that the date and time of each logged event are captured | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-MF-ML2.6 | ISM-0585 requires logs to capture date/time and the relevant user or process, plus descriptive and asset context for each event | |
| E8-RA-ML2.6 | ISM-0585 requires consistent per-event fields such as who/what initiated an action, when it occurred, and which system and object were in... | |
| E8-RA-ML2.7 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| handshake Supports (2) expand_less | ||
| E8-AC-ML2.6 | ISM-0585 requires that event logs capture key fields to support attribution and investigation | |
| E8-AH-ML2.12 | E8-AH-ML2.12 requires central logging of command line process creation events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.