Skip to content
Control Stack logo Control Stack
ISM-1509 ASD Information Security Manual (ISM)

Log Privileged Access Events Centrally for Monitoring

Keep records of high-level system access in one place to monitor and respond to potential issues.

Detective ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Logging and monitoringASD Information Security ManualAccess controlPrivileged access

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Detective

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2023

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML2, ML3

Guideline

Guidelines for personnel security

Section

Access to systems and their resources

Topic

Privileged Access to Systems
Official control statement
Privileged access events are centrally logged.

Source: ASD Information Security Manual (ISM)

Plain language

Logging privileged access events means keeping a central record every time someone uses high-level permissions to access important systems. This is crucial because if something goes wrong, like sensitive data being leaked or a system being tampered with, you'll know who had special access and can quickly investigate.

Why it matters

Without centralised logging of privileged access events, misuse may go undetected, delaying response and enabling breaches or system compromise.

Operational notes

Forward privileged access events to a central log platform (e.g., SIEM), validate time sync, and alert on privileged logons and admin actions.

Implementation tips

  • IT team should establish central logging: They should set up a system to automatically record privileged access events. This can be done by configuring programs that track who accessed systems and when, then storing these logs securely.
  • System administrators should define what privileged access means: They should list which roles or actions count as 'privileged' so everyone knows what needs to be logged. This involves writing down specific access levels or accounts that have greater permissions than regular users.
  • Managers should train staff on logging importance: Managers must educate their team about why logging privileged access is essential. This could be achieved through meetings or training sessions that explain the potential risks of not doing it.
  • IT security staff should regularly review access logs: They should look through the logs frequently to spot any unusual or unauthorised access. This involves checking the records against expected access patterns and investigating any discrepancies.
  • Organisation leaders should ensure that logging follows ACSC guidelines: They should verify that the logging setup adheres to the Australian Cyber Security Centre’s standards by consulting the guidelines and possibly engaging an external review.

Audit / evidence tips

  • Ask: the privileged access log policy: Request documentation that outlines the process for logging privileged access and who is responsible for it

    Good: is a comprehensive policy that names responsible roles and specifies logging procedures

  • Ask: recent access logs: Obtain samples of privileged access logs from the last 30 days

    Good: is detailed logs that are easy to cross-reference with known access activities

  • Ask: records of log reviews: Request evidence that logs are regularly reviewed by the IT security team

    Good: is documentation showing regular reviews and follow-up on any anomalies

  • Ask: training records on logging procedures: Request proof that staff have been trained on the importance of logging privileged access

    Good: is dated records of training sessions with evidence of participation

  • Ask: a compliance check report: Request a report or external review that shows compliance with ACSC guidelines on privileged access logging

    Good: is a report validating that the logging process meets national standards

Cross-framework mappings

How ISM-1509 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.15 ISM-1509 requires that privileged access events are centrally logged to support monitoring and response

E8

Control Notes Details
Partially meets (1)
E8-RA-ML2.7 E8-RA-ML2.7 requires central logging specifically for privileged account and group management events (e.g
Partially overlaps (1)
E8-MF-ML2.6 E8-MF-ML2.6 requires that successful and unsuccessful MFA events are centrally logged
Depends on (1)
E8-AH-ML2.13 ISM-1509 requires privileged access events to be centrally logged so they can be monitored and relied upon during investigations
Related (1)
E8-RA-ML2.6 E8-RA-ML2.6 requires privileged access events to be centrally logged to enable monitoring for misuse

Mapping detail

Mapping

Direction

Controls