Protect Event Logs from Unauthorised Access
Ensure logs are safe from changes or deletion by unauthorised users.
Plain language
Event logs are records of what's happening in your computer systems. Protecting these logs from unauthorised changes or deletion is crucial because, if tampered with, it can hide intrusions or other malicious activities by masking suspicious behaviour.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system monitoringSection
Event logging and monitoringOfficial control statement
Event logs are protected from unauthorised modification and deletion.
Why it matters
If event logs can be modified or deleted, attackers can hide evidence of compromise, delaying detection and weakening investigations and response.
Operational notes
Restrict log access to admins only, enable append-only/immutable storage where possible, and routinely check integrity (hashing/alerts) for changes or deletions.
Implementation tips
- The IT team should ensure that only authorised staff have access to event logs by using user accounts with limited permissions. This can be done by setting up user roles and permissions specifically for log access in your system settings, ensuring only certain personnel can view or modify them.
- System administrators should regularly check who has access to event logs and adjust permissions as needed. Conduct audits and maintain a list of people with access, updating it whenever there are changes in staff or roles.
- Managers should ensure there is a backup system for event logs. This can be achieved by scheduling automatic backups every day and storing them securely, possibly offsite or on a specific server designated for backup purposes.
- The IT security officer should implement an alert system for unauthorised access attempts. This can be established by configuring notifications in the system that send alerts to the security team if anyone tries to access or modify the logs without permission.
- HR and IT should work together to train all relevant staff on the importance of log security and the consequences of breaches. Offer workshops or distribute information sheets explaining log security policies and the critical nature of protecting event logs.
Audit / evidence tips
- AskThe last access control review documentation: Ensure this document lists who had access to the event logs and any adjustments made GoodIs one where all current roles with log access are accounted for and align with staff responsibilities
Cross-framework mappings
How ISM-1815 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.3 | ISM-1815 requires that event logs are protected from unauthorised modification and deletion | |
| link Related (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected from loss, destruction, falsification, unauthorised access and unauthorised release | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (4) expand_less | ||
| E8-AC-ML2.6 | ISM-1815 requires event logs to be protected from unauthorised modification and deletion | |
| E8-MF-ML2.7 | ISM-1815 requires event logs to be protected from unauthorised modification and deletion | |
| E8-RA-ML2.8 | ISM-1815 requires event logs to be protected from unauthorised modification and deletion | |
| E8-AH-ML2.13 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion to prevent tampering | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.