Log Single-factor Authentication Events
Keep track of successful and unsuccessful single-factor login attempts.
Plain language
This control is all about keeping a record of when someone successfully logs in or fails to log in using a single-factor method, like just a password. It matters because keeping track of these events helps to identify suspicious activities, like repeated failed login attempts, which could indicate that someone is trying to break into your system.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Successful and unsuccessful single-factor authentication events are centrally logged.
Why it matters
Without central logging of successful and failed single-factor authentication events, suspicious access attempts can go undetected, increasing breach risk.
Operational notes
Centrally collect successful and failed single-factor authentication logs and review them weekly for patterns such as repeated failures or logins from unusual sources.
Implementation tips
- The IT team should set up a central logging system to capture all login attempts. They should ensure that each login attempt, whether successful or unsuccessful, is sent to this logging system for centralised tracking.
- A manager responsible for IT should regularly review these logs for unusual patterns, like multiple failed attempts from the same user or location. They can set up alerts that notify a designated person when such patterns occur.
- System owners must ensure their systems are configured to send login event data to the central logging system. This may involve updating software settings to enable logging as required by this control.
- The IT team should train staff on recognising phishing attempts since these can lead to failed logins if credentials are stolen and misused. Provide practical examples and updates on what to look out for.
- The procurement team should ensure any new software or system purchases have the capability to support logging of authentication events. This sometimes requires liaising with vendors to confirm logging features are present and adequate.
Audit / evidence tips
-
Askthe logs from the central logging system: Request to see the logs that record successful and unsuccessful single-factor login attempts
Goodis logs displaying entries from all relevant systems with timestamps and user details
-
Askalert settings documentation: Request to see how alerts are configured within the logging system for failed login attempts
Goodshows clearly defined alerts and an escalation procedure for responding to suspicious activity
-
Askevidence of regular log reviews: Request documentation or confirmation of periodic log reviews
Goodis a regular schedule of reviews that staff sign off on, noting actions taken if any incidents were found
-
Asktraining materials on phishing and login security: Request documents or recordings used for staff training sessions
Goodincludes clear, understandable training that is periodically updated
-
Askprocurement evaluation documents: Request information on how authentication logging was assessed for incoming systems
Goodshows a consistent process ensuring all systems evaluated have the necessary logging features
Cross-framework mappings
How ISM-1895 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-MF-ML2.6 | ISM-1895 requires successful and unsuccessful single-factor authentication events to be centrally logged | |
| E8-RA-ML2.6 | ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.