Log Security-Relevant Database Events Centrally
Keep track of important activities in databases, like access, changes, and issues, to ensure security.
Plain language
This control means you need to keep a central log of important activities happening in your databases, like whenever someone accesses, changes, or tries to break into them. If you don't do this, you might miss signs of a security breach, like someone stealing sensitive information or causing damage, which could lead to financial loss or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Security-relevant events for databases are centrally logged, including: - access or modification of particularly important content - addition of new users, especially privileged users - changes to user roles or privileges - attempts to elevate user privileges - queries containing comments - queries containing multiple embedded queries - database and query alerts or failures - database structure changes - database administrator actions - use of executable commands - database logons and logoffs.
Why it matters
Without central logging of security-relevant database events, unauthorised access, privilege escalation, schema changes or admin actions may go undetected, enabling data breaches.
Operational notes
Centrally collect DB audit logs for logons/logoffs, role/privilege changes, admin actions, schema changes and failed alerts; validate ingestion and retention for investigations.
Implementation tips
- The IT team should set up a central logging system to capture database events. They can use existing software that records and centralises logs from various databases so that all important actions are in one place.
- Database administrators should ensure that logs include specific events like adding new users or changes in user privileges. They can configure the logging settings of their database software to capture these crucial actions.
- Managers should regularly review logs or reports generated from the central logging system. They can set a schedule for routine checks, focusing on unusual access patterns or attempts to change security settings.
- System owners should collaborate with the IT team to ensure that any updates in database software still comply with logging requirements. This can involve testing to confirm that logging of critical events continues uninterrupted after updates.
- Human Resources and IT should work together to ensure anyone accessing databases understands their actions will be logged. This can be done through training sessions and updating employment contracts to include security compliance clauses.
Audit / evidence tips
-
Askthe central log configuration documentation: Request the technical manual or system setup guide that explains how database events are logged
-
Askrecent log review meeting minutes: Request the notes or minutes from meetings where logs were reviewed
Gooddocument reflects regular reviews and actionable decisions made from log insights
-
Aska sample of recent logs: Request a report or printout capturing a week's worth of logged database events
Goodsample will show detailed and varied activity logging, matching security requirements
-
Aska list of database administrators and their training records
-
Askan incident response plan that involves log analysis: Request the document detailing what happens when a security incident is suspected
Goodplan will be clear on using logs to detect and understand incidents
Cross-framework mappings
How ISM-1537 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1537 requires organisations to centrally log a defined set of security-relevant database events (e.g | |
| handshake Supports (2) expand_less | ||
| Annex A 5.28 | ISM-1537 requires organisations to centrally log security-relevant database events so that database activity can be reconstructed and rev... | |
| Annex A 8.16 | ISM-1537 requires organisations to centrally log a rich set of database security events so suspicious activity and misuse can be detected... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-RA-ML2.6 | ISM-1537 requires organisations to centrally log security-relevant database events, including privileged user activity such as DBA action... | |
| E8-RA-ML2.7 | E8-RA-ML2.7 requires central logging of privileged account and group management events | |
| E8-RA-ML3.9 | E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.