Skip to content
arrow_back
ISM-1623
search
ISM-1623 policy ASD Information Security Manual (ISM)

Centralised Logging of PowerShell Activities

Ensure PowerShell actions and logs are collected in a central place for monitoring.

Detective ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system hardeningloggingsecurity monitoring
record_voice_over

Plain language

This control is about making sure all the actions and logs from PowerShell, a tool commonly used in Windows computers, are collected in a central spot. This matters because if you don't keep track of what's happening with PowerShell, you might miss signs that someone is trying to break into your computers or steal important data.

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2, ML3

Guideline

Guidelines for system hardening

Section

Operating system hardening

Topic

Powershell

Official control statement

PowerShell module logging, script block logging and transcription events are centrally logged.
policy ASD Information Security Manual (ISM) ISM-1623
priority_high

Why it matters

Without centralised logging of PowerShell module, script block and transcription events, malicious PowerShell use may go unnoticed, leading to compromise or data breach.

settings

Operational notes

Enable module logging, script block logging and transcription, forward events to a central SIEM, and routinely hunt for suspicious cmdlets, encoded commands and unusual scripts.

build

Implementation tips

  • The IT team should set up a central logging service that collects logs from all computers in the organisation. This can be done by configuring each computer to send their logs to a central server where they can be stored for review.
  • System administrators should enable PowerShell module logging on all computers. This involves changing the settings in PowerShell to record which modules are being used and sending those logs to the central server.
  • IT personnel need to activate script block logging to capture detailed information about the PowerShell scripts being run. They can do this by adjusting group policy settings or setting it directly on each computer to ensure scripts are logged properly.
  • The IT security team should implement transcription logging, which records the input and output of PowerShell sessions. They can set this up in PowerShell by enabling transcription settings that will then send the logs to a central location.
  • The IT manager should regularly review the collected PowerShell logs to check for unusual activity. This involves examining the logs for any signs of unauthorised access or unexpected changes and ensuring they are stored for an appropriate time period as required by company policy or regulations.
fact_check

Audit / evidence tips

  • AskThe central logging server configuration details: Request documents or screenshots showing how computers are set up to send logs to the server GoodResult will show an active system where logs are received and stored correctly
  • GoodWill show the settings are enabled and functional across all computers
  • AskDocumentation or screenshots showing script block logging is turned on in PowerShell. Ensure this setting is enabled and logs are going to the central collection GoodResult will confirm this feature is active and reporting correctly
  • AskEvidence of transcription logging settings: Request details or screenshots proving transcription logging is configured for PowerShell sessions. Check that these settings send the logs centrally and are not disabled GoodWill show these logs are being recorded and sent properly
  • GoodResult will indicate logs are reviewed regularly and any issues are followed up
link

Cross-framework mappings

How ISM-1623 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.15 ISM-1623 requires centralised logging specifically for PowerShell module, script block and transcription events
handshake Supports (1) expand_less
Annex A 5.28 ISM-1623 requires centralised collection of detailed PowerShell activity logs (module, script block and transcription)

E8

Control Notes Details
sync_alt Partially overlaps (2) expand_less
E8-RA-ML2.7 E8-RA-ML2.7 requires privileged account and group management events to be centrally logged for visibility of administrative changes
E8-AH-ML2.12 E8-AH-ML2.12 requires that command line process creation events are centrally logged
link Related (1) expand_less
E8-AH-ML2.11 ISM-1623 requires that PowerShell module logging, script block logging and transcription events are centrally logged for monitoring

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls