Log Management of Privileged User Activities
Keep track of changes to privileged user accounts by logging them in one central place.
Plain language
This control is about keeping track of what people with special access to your computer systems are doing. It matters because if no one is watching over these activities, someone could make harmful changes without being noticed, leading to data being stolen or systems being compromised.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for personnel securityOfficial control statement
Privileged user account and security group management events are centrally logged.
Why it matters
Without central logging of privileged account and security group changes, malicious or unauthorised access and permission changes may go undetected, enabling persistent compromise.
Operational notes
Ensure privileged account and security group management events are forwarded to a central log platform, protected from tampering, and routinely reviewed for unexpected membership or role changes.
Implementation tips
- The IT team should set up a central log for all activities related to privileged accounts. Use software that collects and stores logs in one secure place so actions by users with special access can be reviewed if needed.
- System administrators should review the logs regularly. This means checking the records every week to see if there is anything unusual, like unexpected changes or access at odd hours.
- Managers should assign responsibility to someone for reviewing the privileged account logs. They should choose a trusted team member and provide them with training to understand what to look for in the logs.
- The IT department should regularly test the logging system to ensure it is capturing all necessary data. Run tests every month to verify that logs are being recorded correctly and include crucial events like changes to user privileges.
- The security officer should ensure that logs are kept secure and only accessible to authorised personnel. Implement access controls so that only those who need to review the logs can see them, protecting them from tampering.
Audit / evidence tips
-
Askthe log management policy document: Request to see the written policy that describes how privileged user activities are logged
Goodincludes clear guidelines on logging frequency, scope, and responsibility assignments
-
Askto see a recent log review report: Check for a document that shows the results of a privileged account activity log review
Goodshows logs were reviewed, issues were flagged, and appropriate follow-up actions were recorded
-
Askwho is responsible for log reviews: Request a list of personnel with their roles related to log management
Goodhas named individuals with clear duties and contact information
-
Askaccess control documentation for log files: Ask to see who has access to the logs and how that access is controlled
Gooddemonstrates that only necessary personnel can access logs, reducing risk of tampering
-
Askto see any recorded incidents related to privileged activity: Request a report of any logged incidents involving misuse of privileged accounts
Goodshows timely detection through logs and a record of responsive actions taken
Cross-framework mappings
How ISM-1650 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1650 requires central logging of privileged user account and security group management events | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-1650 requires central logging of privileged user account and security group management events | |
| link Related (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed, which typically includes accountability mechanisms around pri... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML2.6 | ISM-1650 requires privileged user account and security group management events to be centrally logged | |
| link Related (1) expand_less | ||
| E8-RA-ML2.7 | ISM-1650 requires privileged user account and security group management events to be centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.