ISM-1405 policy ASD Information Security Manual (ISM)

Implement a Centralised Event Logging Facility

Ensure all event logs are collected and managed in one central location for analysis and security monitoring.

Detective NC OS P ASD Information Security ManualGuidelines for system monitoring logging security monitoring

record_voice_over

Plain language

Having a central spot where all your system's event logs are gathered is like having a single bulletin board where you can track everything going on in your business. This matters because if you can't see what's happening across all your systems, you might miss warning signs of a security threat or system issue, which could cost you time, money, or damage your reputation.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2024

Control Stack last updated

18 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Centralised Event Logging Facility

Official control statement

A centralised event logging facility is implemented.

policy ASD Information Security Manual (ISM) ISM-1405

priority_high

Why it matters

Without a centralised event logging facility, security events are fragmented across systems, delaying detection and investigation of suspicious activity and increasing incident impact.

settings

Operational notes

Centralise logs from key systems, normalise formats, and enforce time synchronisation (NTP). Monitor and alert regularly, and set retention to support investigations and trend analysis.

02 - Implement

build

Implementation tips

The IT team should set up a centralised logging system. Start by choosing a tool that collects logs from all your systems into one place-this could be software that runs on your server or a cloud-based service. Ensure it can handle the volume of logs your organisation generates.
System administrators should configure each system to send logs to the central logging facility. Check the system's settings to find how to export logs and use the provided documentation to route these to the central logging system.
Managers should inform staff about the importance of logging certain events. Schedule training sessions to teach employees what activities must be logged and the importance of these logs to the organisation's security and operations.
The security team should analyse the collected logs regularly. Use the central logging system's analysis features to look for patterns or unusual activities that could indicate a threat or issue.
IT support staff should maintain the logging system. Regularly check that logs from all systems are being received correctly and troubleshoot any issues promptly, ensuring the system's centralised nature remains intact.

03 - Audit

fact_check

Audit / evidence tips

AskA document listing all systems connected to the central logging facility GoodIs a comprehensive list with all business systems included and an assigned date for each connection
GoodResult shows logs originating from different systems consistently over recent periods
AskThe log analysis reports GoodIncludes up-to-date reports that have been reviewed regularly by the named security team members
GoodIs a completed training register that links the training to improved logging practices
AskThe system maintenance records for the logging facility. Ensure these logs show regular checks and prompt addressing of issues GoodResult shows routine maintenance entries and quick resolution of any problems

04 - Mappings

link

Cross-framework mappings

How ISM-1405 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less
Annex A 8.15	ISM-1405 requires a centralised event logging facility to collect and manage event logs in one location
handshake Supports (1) expand_less
Annex A 8.14	Annex A 8.14 requires systems to use synchronised clocks against an authorised time source to ensure timestamps can be trusted and correl...

E8

Control	Notes	Details
layers Partially meets (1) expand_less

E8-AH-ML2.12	E8-AH-ML2.12 requires centralised logging specifically for command line process creation events
handshake Supports (1) expand_less

E8-AC-ML2.6	E8-AC-ML2.6 requires event logs to be protected from unauthorised modification and deletion
extension Depends on (5) expand_less

E8-AC-ML2.5	E8-AC-ML2.5 requires allowed and blocked application control events to be centrally logged

E8-AH-ML2.11	E8-AH-ML2.11 requires PowerShell module, script block, and transcription events to be centrally logged

E8-MF-ML2.8	E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events
E8-MF-ML3.5	E8-MF-ML3.5 requires timely analysis of workstation event logs to detect cyber security events

E8-RA-ML2.7	E8-RA-ML2.7 requires privileged account and group management events to be centrally logged
link Related (1) expand_less

E8-MF-ML2.6	ISM-1405 requires a centralised event logging facility so authentication and other security-relevant logs can be collected in one location

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.