Central Logging of Unprivileged System Access
System logs keep track of unprivileged user actions to monitor access and security.
Plain language
This control is about recording the actions of users who do not have special privileges on your systems. It helps keep track of who accessed what and when, which is crucial for detecting and responding to any unauthorised actions. Without this, you might miss signs of improper access, potentially leading to data breaches or system abuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Use of unprivileged access is centrally logged.
Why it matters
Without central logging of unprivileged access, unauthorised actions may go undetected, risking data breaches and compromising system integrity.
Operational notes
Ensure logs for unprivileged access are reviewed weekly, as patterns may reveal misuse or anomalies that require timely investigation.
Implementation tips
- IT team should set up central logging: Gather system logs from all devices and software that are accessed by unprivileged users. This can be done using centralised logging software that compiles all these logs in one place.
- System administrator needs to define what actions are logged: Work out what specific user activities should trigger a log entry. Focus on actions like logins, file access, and system changes, ensuring these are captured accurately.
- IT team should regularly review logs: Appoint someone to routinely check these logs for any unusual or suspicious activity. Set up automated alerts for certain patterns that indicate potential issues.
- Management should ensure all staff are aware: Conduct training sessions to explain that logging is active and why it's important. Make sure everyone knows their actions can be viewed if needed for security reasons.
- IT support should maintain the logging system: Schedule maintenance checks to ensure the logging system is functioning correctly and logs are being saved over time. Address any technical issues that could prevent proper recording.
Audit / evidence tips
- AskThe log retention policy: Request documentation that details how long logs are kept and how they are stored GoodShows defined periods and secure storage methods
- AskTo see recent logs: Request access to the system's centralised log repository GoodShows logs with clear entries for user activities and any anomalies flagged
- AskEvidence of log review: Request a record of log reviews, like meeting notes or a log review schedule GoodIncludes multiple past reviews with follow-up actions taken
- AskTraining materials: Request any resources or documentation on user training regarding logging practices GoodIncludes slides or handouts used during training sessions
- AskSystem maintenance records: Request logs of maintenance checks on the logging system GoodWould show regular maintenance with resolved issues documented
Cross-framework mappings
How ISM-1566 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1566 requires that use of unprivileged access is centrally logged to provide visibility of non-admin user activity | |
| handshake Supports (2) expand_less | ||
| Annex A 5.28 | ISM-1566 requires central logging of unprivileged access to create an auditable record of user actions | |
| Annex A 8.16 | ISM-1566 requires that use of unprivileged access is centrally logged so user activity can be monitored and investigated | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.