Timely Analysis of Non-Internet-Server Logs
Examine logs from servers not facing the internet promptly to find security issues.
Plain language
This control is about making sure that logs from servers that aren't directly connected to the internet are looked at quickly. It's important because these logs can reveal hidden security threats or unusual activity, and if not checked regularly, problems could go unnoticed until they cause significant damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log MonitoringOfficial control statement
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
If non-internet-facing server logs aren’t analysed promptly, internal compromise and lateral movement may go unnoticed, delaying detection and response.
Operational notes
Analyse non-internet-facing server logs daily (or per risk), use alerting for suspicious events, and document triage and escalation timelines.
Implementation tips
- The IT team should schedule regular reviews of server logs. Set up a calendar reminder to check these logs at least weekly for any unusual activities or patterns that don't look right.
- System administrators need to use a consistent method for analysing logs. They should use an application or tool that helps summarise log data so that they can spot issues quickly without sifting through pages of details.
- The office manager should ensure that someone is specifically tasked with log analysis. Assign this responsibility clearly in a staff meeting and include it in the job description of an IT staff member.
- Managers should encourage staff training on log interpretation. Organise a workshop or training session about common security threats and how they might show up in logs. This should be done in-house or with a local provider.
- Business owners should allocate resources for maintaining and securing log data. Budget for tools that store and archive logs securely so that past records can be accessed for audits or investigations.
Audit / evidence tips
-
Askto see the log review schedule: Request the calendar or system that tracks when log reviews are supposed to happen
Goodshows consistent, planned log review times with named individuals
-
Aska sample log report: Request a recent example of an analysed log report
-
Askto see the team member responsibility list: Request a document or section in someone’s job description that contains log review tasks
Goodlists roles and their specific responsibilities
-
Askevidence of log analysis training: Request training records or certificates
-
Askto see the log archive solution: Request documentation of how logs are stored and protected
Goodis a documentation that outlines secure storage and access policies
Cross-framework mappings
How ISM-1907 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (6) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (6) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.