Skip to content
Control Stack logo Control Stack
ISM-0585 ASD Information Security Manual (ISM)

Capture Detailed Information in Event Logs

Record details like time, user, and equipment for each logged event.

Detective Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for system monitoringloggingaudit trail

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Detective

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2025

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Event Log Details
Official control statement
For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the information technology equipment involved are captured.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about keeping a detailed record every time something significant happens in your computer systems. It includes noting the time, who was involved, and the equipment used. If we don't do this, it would be really hard to figure out what went wrong in case of a cyber attack or technical issue, and we might not know how to stop it from happening again.

Why it matters

If event logs lack key fields (time, user/process, filename and device), investigations take longer, root cause may be missed, and incident impact increases.

Operational notes

Audit log configurations to ensure each record includes date/time, user or process, filename, event description and the IT equipment identifier; alert on missing fields.

Implementation tips

  • IT team should make sure that all systems are set up to automatically log key events. They can do this by configuring the system settings to capture details like when and what happens, who is involved, and which computer or equipment is used.
  • Managers should work with the IT team to identify key events that need to be logged. To do this, they can sit down and list out typical activities and incidents that must be tracked, and how these logs will help in solving problems later.
  • HR should communicate with staff about the importance of keeping accurate records for logged events. This could involve sending newsletters or holding brief training sessions to explain why this is important and what they need to do to help.
  • System owners should periodically review logs to ensure all necessary information is being recorded correctly. They can set up monthly checks where they randomly select log entries to review and confirm all required details like time, user, and equipment are captured.
  • Procurement teams should ensure that any new software or technology being purchased supports detailed event logging. Before buying, they can ask vendors for assurance that their products include these features and can be configured to meet these needs.

Audit / evidence tips

  • Ask: the event log reports over the past six months

    Good: will show logs with all these details consistently recorded

  • Good: demonstration will show these settings active and properly configured

  • Ask: to see any policy or guideline documents related to event logging

    Good: will include a document outlining the logging process and responsibilities

  • Good: will show regular training sessions attended by relevant staff

  • Ask: evidence of regular log reviews by system owners

    Good: is a record showing regular checks with follow-up actions where necessary

Cross-framework mappings

How ISM-0585 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.15 ISM-0585 requires each logged event to capture specific fields (date/time, user or process, filename, description, and the IT equipment i...
Supports (2)
Annex A 5.28 ISM-0585 requires log entries to include attribution and object/asset context (who/what, when, what file, what system, and a description)
Annex A 8.16 ISM-0585 requires log entries to include sufficient detail (time, user/process, filename where relevant, event description, and equipment...
Depends on (1)
Annex A 8.17 ISM-0585 requires that the date and time of each logged event are captured

E8

Control Notes Details
Partially overlaps (3)
E8-MF-ML2.6 ISM-0585 requires logs to capture date/time and the relevant user or process, plus descriptive and asset context for each event
E8-RA-ML2.6 ISM-0585 requires consistent per-event fields such as who/what initiated an action, when it occurred, and which system and object were in...
E8-RA-ML2.7 E8-RA-ML2.7 requires central logging of privileged account and group management events
Supports (2)
E8-AC-ML2.6 ISM-0585 requires that event logs capture key fields to support attribution and investigation
E8-AH-ML2.12 E8-AH-ML2.12 requires central logging of command line process creation events

Mapping detail

Mapping

Direction

Controls