Central Logging of Multifunction Device Use
Uses of multifunction devices are logged centrally for tracking purposes.
Plain language
Central logging of multifunction device use means that everything you print, scan, or copy is tracked and recorded in one place. This is important because if there's a data breach or sensitive information is mishandled, you can trace back who did what, helping to prevent potential damage to your business's reputation and security.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsSection
Multifunction devicesOfficial control statement
Use of MFDs for printing, scanning and copying purposes, including the capture of shadow copies of documents, are centrally logged.
Why it matters
Without central MFD logging (print/scan/copy and shadow copies), investigating document misuse is difficult, increasing risk of undetected data leakage.
Operational notes
Centrally collect MFD print/scan/copy and shadow-copy logs; review routinely and alert on spikes, after-hours use or repeated failures to spot misuse quickly.
Implementation tips
- The IT team should set up a central logging system for multifunction devices (MFDs), ensuring every use of these devices is automatically recorded. They need to configure MFDs to send activity logs to a secure server where all this information is collected and can be reviewed.
- Managers should ensure that staff are aware of the logging process by organising a briefing session. During this session, explain why logging is necessary for protecting sensitive information and how it helps in case of any security incidents.
- Procurement officers should work with IT to choose multifunction devices that support central logging. This involves reviewing specifications and confirming the devices can send log data directly to a central system before purchasing.
- The IT team should regularly check the logging system to make sure it is working correctly. This means verifying that data from all multifunction devices is updated in real time and no logs are missing or incomplete.
- Security officers should have a process for reviewing logs in response to suspicious activity or security incidents. This includes setting predefined criteria for what constitutes unusual activity and a plan for investigating these issues promptly.
Audit / evidence tips
-
Askthe logging configuration manual: Request the document that describes how the central logging system is set up for MFDs
Goodincludes clear procedures detailing what is logged and the technology used to record and store this information
-
Aska sample activity log from the central logging system
Goodlog should include dates, times, user IDs, and actions taken (e.g., print, scan)
-
Aska list of MFDs with logging enabled
-
Askto see evidence of periodic log reviews: Request records or emails showing that logs are regularly checked. Good evidence includes logs of review dates, who conducted them, and any actions taken based on findings
-
Askany incident reports that involved MFD logs
Goodwill show logs being used to trace actions back to responsible users, outlining how this helped in resolving incidents
Cross-framework mappings
How ISM-1855 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1855 requires organisations to centrally log multifunction device (MFD) use for printing, scanning and copying, including capturing s... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1855 requires organisations to centrally log MFD activity and retain shadow copies, producing a detailed record of who used MFD funct... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-MF-ML2.7 | ISM-1855 requires organisations to centrally log MFD printing, scanning and copying activity, including shadow copies of documents | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.