Timely Analysis of Internet-Facing Server Logs
Organisations must quickly review logs from online servers to spot potential security threats.
Plain language
This control is about regularly checking the records or logs from your online servers to quickly spot any security issues, like unauthorised access or attacks. If you don't do this, you might miss signs of a cyber threat, which could lead to loss of data, financial loss, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log MonitoringOfficial control statement
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
Without timely analysis of internet-facing server logs, intrusions may go unnoticed, delaying containment and increasing breach impact.
Operational notes
Configure alerts for suspicious internet-facing server log events and review flagged entries within 24 hours to detect and respond quickly.
Implementation tips
- The IT team should set up an automated system to collect logs from all internet-facing servers. This can be done by using simple tools that gather these logs into one place so they can be easily reviewed.
- Managers should schedule regular meetings to review these logs. This involves a quick look at any unusual activity or anything that doesn't seem right compared to normal server activity.
- System owners should train staff to recognise signs of irregular activity, such as unusual login times or access from unexpected locations. This could include short, focused training sessions highlighting common signs of trouble.
- The IT team should establish clear procedures for what to do when suspicious activity is detected. This might involve contacting the manager immediately and initiating an internal review.
- Managers should make sure there is someone assigned to review the logs every day. This could be a rotating role among staff, ensuring that someone is always paying attention to server activity.
Audit / evidence tips
-
Aska report of recent server log reviews: Request documentation showing each time server logs were reviewed in the past month
Goodshows regular checks and any issues flagged for further review
-
Askto see the log review procedure document: Request the written procedures staff follow to review server logs
Goodincludes a clear path for escalation if something odd is detected
-
Asktraining records of staff: Request evidence of training sessions teaching staff to spot security concerns
Goodlists all relevant staff trained within the last year
-
Askrecords of any suspicious activity detected: Request examples of past incidents logged and the actions taken
Goodshows prompt recognition and response to any unusual activities
-
Asknames of responsible individuals: Request a list of people who are accountable for log reviews. Look to see if there's a regular rotation or dedicated roles
Goodensures roles are clear and continuously filled
Cross-framework mappings
How ISM-1906 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1906 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| link Related (6) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.