Central Logging for Gateway Security Events
Log gateway events and alerts to monitor data flows and detect intrusion attempts.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Detective
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Security-relevant events for gateways are centrally logged, including: - data packets and data flows permitted through gateways - data packets and data flows attempting to leave gateways - real-time alerts for attempted intrusions.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure all the important activities happening at your internet gateways are logged and tracked. By doing this, you can catch any suspicious attempts to access or send data through your network. If you skip this, you might miss warning signs of a potential data breach or hacker, which could lead to loss of sensitive information and a damaged reputation.
Why it matters
Failure to centrally log gateway packet/flow events and intrusion alerts can hide data exfiltration paths and successful intrusion attempts, increasing breach impact.
Operational notes
Centrally collect gateway permit/deny flow logs and intrusion alerts; regularly validate log delivery, retention, and alert tuning to detect exfiltration attempts.
Implementation tips
- The IT team should set up centralised logging for all gateway activities. They can do this by using a software system that collects and stores logs from all network gateways in one place, making it easier to monitor unusual activity.
- The system administration team should configure alerts for any suspicious attempts to bypass the gateway. They can set these alerts to notify them by email or SMS whenever unusual behaviour is detected, so they can act quickly.
- Managers should schedule regular reviews of the gateway logs. They should work with IT to look at these logs to spot any trends or patterns that might suggest security issues, doing this at least once a month.
- The IT team should ensure that logs are kept safely and cannot be tampered with. This means setting permissions so that only authorised personnel can access and modify logs.
- Business owners or managers should invest in training for their staff on how to recognise and report suspicious activity in the logs. This training can be done through workshops or online modules, enhancing the organisation's overall security posture.
Audit / evidence tips
-
Ask: the central log server's configuration report
Good: a documented setup that lists each gateway logging to the central system
-
Good: logs showing a consistent format with detailed timestamped entries
-
Ask: the alert configuration documentation. Examine how alerts are set up and whom they notify
Good: an alert system configured to notify IT personnel in real-time with details of potential security incidents
-
Good: a log review schedule with meeting minutes or findings reports
-
Ask: staff training records relevant to log analysis and incident handling
Good: a record showing recent training sessions attended by key staff with their names and training dates
Cross-framework mappings
How ISM-0634 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.15 | ISM-0634 requires security-relevant events for gateways to be centrally logged, specifically covering permitted flows, attempted egress, ... | |
| Supports (1) | ||
| Annex A 8.16 | ISM-0634 requires central logging of gateway traffic and intrusion-related alerts to provide visibility of network flows through gateways | |