Central Logging of Application Events
All application events, whether allowed or blocked, must be recorded centrally.
Plain language
This control is about making sure that every time an application on your computer system does something important-like allowing or blocking an action-it's reported to one central location. If you don't do this, you risk missing signs that something is going wrong, which means you might not catch a problem or an attack before it causes serious harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
18 May 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Allowed and blocked application control events are centrally logged.
Why it matters
Without central logging of allowed and blocked application control events, suspicious executions may be missed, delaying detection and response to malware or misuse.
Operational notes
Forward allowed/blocked application control events to a central log store, verify coverage across hosts, and alert on repeated blocks or unexpected allows.
Implementation tips
- The IT team should set up a central logging system to collect all application events. This involves choosing software that can automatically gather event logs from applications and sending them to a central server where they can be reviewed.
- Application administrators need to make sure their applications are configured to log every action. This means adjusting settings in each application to record events like access attempts and errors, whether they're allowed or blocked.
- Management should designate a person or team to regularly review the logs. They should check the logs for unusual activity, such as repeated failed login attempts, and investigate any suspicious behaviour promptly.
- The IT team should establish a routine maintenance schedule for the central logging system to ensure it's running smoothly. This includes checking storage capacity, ensuring data is being received correctly, and performing updates to software as needed.
- System owners must communicate with IT to ensure that new applications are integrated into the central logging system. This requires establishing a clear process whereby IT is informed of any new applications so they can set up necessary logging configurations.
Audit / evidence tips
- AskThe central logging policy document: Request the policy document that outlines how application events are logged centrally GoodWill include a detailed process that encompasses setup, review, and maintenance of logs
- AskTo see a log review schedule: Request any documentation or schedules that show regular log reviews GoodIs a well-documented schedule showing routine log analysis over time
- AskA demonstration of the logging system: Have the IT team demonstrate how logs are collected and accessed GoodInvolves a clear, understandable process for accessing and analysing logs
- AskTo see recent log review findings: Request reports from recent log reviews GoodIncludes specific examples of identified issues, actions taken, and confirmation of resolution or follow-up
- AskRecords of training about the logging system: Request records showing staff have been trained to understand and manage the logging process GoodIs a dated list of participants and session content, indicating ongoing staff education
Cross-framework mappings
How ISM-1660 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-AC-ML2.4 | E8-AC-ML2.4 requires application control rulesets to be validated annually or more frequently to ensure rules remain correct | |
| E8-AC-ML2.6 | ISM-1660 requires central logging of allowed and blocked application control events so they are available for monitoring and investigation | |
| link Related (1) expand_less | ||
| E8-AC-ML2.5 | ISM-1660 requires that both allowed and blocked application control events are centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.