Integrity Monitoring for Shared Servers
Monitor and log system interactions when sharing a server's hardware using software isolation.
Plain language
This control is about keeping a close watch on what's happening on a shared physical server when it's being divided up and shared using software. It's crucial because if you don't actively monitor and log the activity, you might miss suspicious actions that could compromise sensitive data or the whole system, resulting in data breaches or operational disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Virtualisation hardeningOfficial control statement
When using a software-based isolation mechanism to share a physical server's hardware, integrity monitoring and centralised event logging is performed for the isolation mechanism and underlying operating system.
Why it matters
Without integrity monitoring and centralised logging on the hypervisor/isolation layer and host OS, tampering or compromise may go undetected, enabling cross-tenant access and outages.
Operational notes
Baseline and monitor hypervisor/isolation and host OS files/configs; alert on unauthorised changes. Forward hypervisor and OS logs to a central SIEM for correlation and retention.
Implementation tips
- The IT team should set up monitoring software on shared servers to detect any unusual activities. This can be done by configuring the server to track who accesses it, what they do, and when they do it. Use an intuitive tool that records this information in an easy-to-read format.
- Managers or system owners should ensure logs are kept in a centralised location. They can do this by working with IT to choose a logging system that keeps all records together so that they are easy to analyze.
- The IT team should regularly review the logs for any strange patterns of behaviour. This might involve setting up automatic alerts when certain types of untoward actions occur, such as attempts to access restricted areas of the system.
- IT staff should ensure the server's software isolation tools are updated regularly. This helps protect the system from vulnerabilities that can be exploited, by configuring software to notify them of available updates.
- Senior management should ensure there's a procedure for responding to anomalies found during monitoring. This means having a clear plan in place that details who to contact and what steps to take if something suspicious is found.
Audit / evidence tips
-
Askthe server monitoring configuration document: Ensure it outlines the specifics on what activities are being monitored
Goodincludes a detailed list of activities and events that are tracked
-
Askto see samples of the log files: Verify that these show regular logging periods and capture data on who accessed the system and what was done
Goodincludes clear timestamps, user identities, and actions performed
-
Goodincludes screenshots or reports from the logging tool showing inputs from all shared servers
-
Askrecords of software updates: Verify that updates have been timely, reflecting how frequently updates occur
Goodcontains a version history and the date each was applied
-
Askabout the procedure for handling anomalies: Check if there's a clear, documented process for when irregularities are found
Goodincludes a flowchart or checklist with defined roles and actions for suspicious activity
Cross-framework mappings
How ISM-1607 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.16 | ISM-1607 focuses on integrity monitoring and centralised logging for server hardware shared via software isolation | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-RA-ML2.6 | ISM-1607 mandates integrity monitoring and centralised event logging for isolation mechanisms and host OS on shared servers | |
| E8-RA-ML2.9 | ISM-1607 requires integrity monitoring and centralised event logging for shared server hardware using software isolation | |
| E8-AH-ML2.12 | E8-AH-ML2.12 requires centralised logging of command line process creation events on hosts | |
| extension Depends on (1) expand_less | ||
| E8-MF-ML2.7 | ISM-1607 requires monitoring and central logging for shared servers using software isolation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.