ISM-1895 policy ASD Information Security Manual (ISM)

Log Single-factor Authentication Events

Keep track of successful and unsuccessful single-factor login attempts.

Detective NC OS P ASD Information Security ManualGuidelines for system hardening logging authentication

record_voice_over

Plain language

This control is all about keeping a record of when someone successfully logs in or fails to log in using a single-factor method, like just a password. It matters because keeping track of these events helps to identify suspicious activities, like repeated failed login attempts, which could indicate that someone is trying to break into your system.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Single-factor Authentication

Official control statement

Successful and unsuccessful single-factor authentication events are centrally logged.

policy ASD Information Security Manual (ISM) ISM-1895

priority_high

Why it matters

Without central logging of successful and failed single-factor authentication events, suspicious access attempts can go undetected, increasing breach risk.

settings

Operational notes

Centrally collect successful and failed single-factor authentication logs and review them weekly for patterns such as repeated failures or logins from unusual sources.

02 - Implement

build

Implementation tips

The IT team should set up a central logging system to capture all login attempts. They should ensure that each login attempt, whether successful or unsuccessful, is sent to this logging system for centralised tracking.
A manager responsible for IT should regularly review these logs for unusual patterns, like multiple failed attempts from the same user or location. They can set up alerts that notify a designated person when such patterns occur.
System owners must ensure their systems are configured to send login event data to the central logging system. This may involve updating software settings to enable logging as required by this control.
The IT team should train staff on recognising phishing attempts since these can lead to failed logins if credentials are stolen and misused. Provide practical examples and updates on what to look out for.
The procurement team should ensure any new software or system purchases have the capability to support logging of authentication events. This sometimes requires liaising with vendors to confirm logging features are present and adequate.

03 - Audit

fact_check

Audit / evidence tips

AskThe logs from the central logging system: Request to see the logs that record successful and unsuccessful single-factor login attempts GoodIs logs displaying entries from all relevant systems with timestamps and user details
AskAlert settings documentation: Request to see how alerts are configured within the logging system for failed login attempts GoodShows clearly defined alerts and an escalation procedure for responding to suspicious activity
AskEvidence of regular log reviews: Request documentation or confirmation of periodic log reviews GoodIs a regular schedule of reviews that staff sign off on, noting actions taken if any incidents were found
AskTraining materials on phishing and login security: Request documents or recordings used for staff training sessions GoodIncludes clear, understandable training that is periodically updated
AskProcurement evaluation documents: Request information on how authentication logging was assessed for incoming systems GoodShows a consistent process ensuring all systems evaluated have the necessary logging features

04 - Mappings

link

Cross-framework mappings

How ISM-1895 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.15	ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events

E8

Control	Notes	Details
sync_alt Partially overlaps (2) expand_less
E8-MF-ML2.6	ISM-1895 requires successful and unsuccessful single-factor authentication events to be centrally logged
E8-RA-ML2.6	ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.