Central Logging of CDS Security Events
Ensure all key security events of Cross Domain Solutions are logged centrally for monitoring.
Plain language
This control is about making sure all important security events happening in systems that allow data exchange across different security domains are recorded centrally. It's important because if these events aren't monitored, suspicious or harmful activities might go unnoticed, risking data theft or breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
Cross Domain SolutionsOfficial control statement
Security-relevant events for CDSs are centrally logged.
Why it matters
If CDS security events are not centrally logged, incidents can be missed, delaying response and enabling cross-domain unauthorised access or data compromise.
Operational notes
Configure CDSs to forward security event logs to a central SIEM/syslog service and enable alerting; review and investigate CDS log events at least weekly.
Implementation tips
- IT team should set up centralised logging: Make sure that all security events from cross domain solutions (CDS) are sent to a single, central system for easy monitoring. Use logging software that can collect and store these events securely.
- System owners should review logs regularly: Schedule time to look at the logs at least once a week to spot anything unusual. Focus on patterns that might indicate security issues, such as repeated failed login attempts or transfers of large volumes of data.
- Managers should coordinate with IT: Ensure that the IT team knows exactly which events must be logged and understands the importance of these logs. Clearly communicate the types of security events relevant to your organisation's operations.
- HR should assist with training: Provide training sessions for employees to help them recognise and report security events promptly. This helps in gathering comprehensive logs that include both automated and human-detected incidents.
- Procurement should acquire the right tools: Work with the IT team to choose and purchase reliable logging tools that integrate well with current systems. Consider solutions that meet Australian Cyber Security Centre (ACSC) and Australian Signals Directorate (ASD) guidelines.
Audit / evidence tips
-
Askthe logging policy document: Request the organisation's policy outlining which events must be logged and how they are stored
Goodwill detail specific logging requirements and a review schedule
-
Askrecent log files: Request a recent example of logged events from the central system
Goodwill show a diverse range of events including both successful and failed actions
-
Askwho reviews the logs: Find out which person or team is responsible for checking the logs regularly
Goodwill confirm that the logs are reviewed regularly by appointed personnel
-
Asktraining records: Request evidence of employee training sessions on recognising and reporting security events
Goodshows consistent and comprehensive training with good engagement
-
AskIT procurement records: Request documents showing the purchase of logging tools
Goodwill have details on the selection process and tool capabilities
Cross-framework mappings
How ISM-0670 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-0670 requires security-relevant events for CDSs to be centrally logged | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| E8-AC-ML2.5 | ISM-0670 requires security-relevant events for Cross Domain Solutions (CDSs) to be centrally logged for monitoring | |
| E8-RA-ML2.6 | ISM-0670 requires security-relevant events for CDSs to be centrally logged | |
| E8-AH-ML2.12 | ISM-0670 requires central logging of security-relevant events for CDSs | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.