Log Access Documentation with Service Providers
Ensure contracts specify how organisations can access logs about their data from service providers.
Plain language
This control requires that when you sign contracts with service providers, you make sure there is a clear agreement on how you can access the logs related to your data. If you don't have access to these logs, you might not be able to detect or trace security incidents, which could lead to data breaches or loss without you even knowing it.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Access to all logs relating to an organisation's data and services is documented in contractual arrangements with service providers.
Why it matters
If log access rights aren’t documented in service provider contracts, you may be unable to obtain audit logs, delaying breach detection, investigation and compliance reporting.
Operational notes
Document in contracts who can access which service/provider logs, how access is provided, retention periods, and timeframes for log delivery to support audits and investigations.
Implementation tips
- Business Manager should ensure: When negotiating contracts with service providers, include a clause that details your right to access data logs. Work with your legal adviser to make sure these requirements are clearly stated in all agreements.
- Procurement team should ensure: Before finalising any service provider contracts, review the draft to check if it includes clear provisions for log access. Collaborate with the IT team to understand what specific log access is required for your systems.
- IT Manager should ensure: Provide a list of required log types to the procurement or legal team to help them negotiate contracts. This list should include logs for access events, changes, and data transfers related to your systems.
- Legal Adviser should ensure: Review and update standard contract templates to include specific language about log access rights. This includes specifying how often logs should be available, the format, and any costs associated with accessing them.
- System Owner should ensure: Once contracts are in place, regularly verify with service providers that log access is functioning as expected. Schedule periodic checks to ensure that you can access the logs as per the agreed terms.
Audit / evidence tips
-
Aska copy of the contract with the service provider: Request to see the section detailing log access provisions
GoodContracts explicitly mention log access details, frequency, and cost
-
Askmeeting notes with legal or procurement teams: These should cover discussions about contract negotiations for log access
GoodDocumented evidence of addressing and resolving log access requirements
-
Askaccess request logs: Request records showing how often logs were accessed and by whom
GoodRegularly accessed logs with proper documentation and approval
-
Aska log access policy or procedure document: Verify that there is a written process for accessing logs from service providers
GoodA comprehensive document that guides log access requests and procedures
-
Askto speak with the IT team about log access verification: Inquire about their process for checking log access compliance
GoodRegular checks are performed and documented to confirm log access aligns with the contract
Cross-framework mappings
How ISM-1573 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.19 | ISM-1573 requires contracts with service providers to document how the organisation can access all logs relating to its data and services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.