ISM-1907 policy ASD Information Security Manual (ISM)

Timely Analysis of Non-Internet-Server Logs

Examine logs from servers not facing the internet promptly to find security issues.

Detective ML3 NC OS P ASD Information Security ManualGuidelines for system monitoring logging incident detection

record_voice_over

Plain language

This control is about making sure that logs from servers that aren't directly connected to the internet are looked at quickly. It's important because these logs can reveal hidden security threats or unusual activity, and if not checked regularly, problems could go unnoticed until they cause significant damage.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Event Log Monitoring

Official control statement

Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.

policy ASD Information Security Manual (ISM) ISM-1907

priority_high

Why it matters

If non-internet-facing server logs aren’t analysed promptly, internal compromise and lateral movement may go unnoticed, delaying detection and response.

settings

Operational notes

Analyse non-internet-facing server logs daily (or per risk), use alerting for suspicious events, and document triage and escalation timelines.

02 - Implement

build

Implementation tips

The IT team should schedule regular reviews of server logs. Set up a calendar reminder to check these logs at least weekly for any unusual activities or patterns that don't look right.
System administrators need to use a consistent method for analysing logs. They should use an application or tool that helps summarise log data so that they can spot issues quickly without sifting through pages of details.
The office manager should ensure that someone is specifically tasked with log analysis. Assign this responsibility clearly in a staff meeting and include it in the job description of an IT staff member.
Managers should encourage staff training on log interpretation. Organise a workshop or training session about common security threats and how they might show up in logs. This should be done in-house or with a local provider.
Business owners should allocate resources for maintaining and securing log data. Budget for tools that store and archive logs securely so that past records can be accessed for audits or investigations.

03 - Audit

fact_check

Audit / evidence tips

AskTo see the log review schedule: Request the calendar or system that tracks when log reviews are supposed to happen GoodShows consistent, planned log review times with named individuals
AskA sample log report: Request a recent example of an analysed log report
AskTo see the team member responsibility list: Request a document or section in someone’s job description that contains log review tasks GoodLists roles and their specific responsibilities
AskEvidence of log analysis training: Request training records or certificates
AskTo see the log archive solution: Request documentation of how logs are stored and protected GoodIs a documentation that outlines secure storage and access policies

04 - Mappings

link

Cross-framework mappings

How ISM-1907 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

E8

Control	Notes	Details
sync_alt Partially overlaps (6) expand_less

E8-AH-ML2.14	E8-AH-ML2.14 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events
E8-AH-ML3.5	E8-AH-ML3.5 requires timely analysis of workstation event logs to detect cyber security events

E8-MF-ML2.8	ISM-1907 requires timely analysis of logs from non-internet-facing servers to detect cyber security events

E8-RA-ML2.9	E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed promptly to detect cyber security events
E8-RA-ML2.10	E8-RA-ML2.10 requires cyber security events to be analysed in a timely manner to identify cyber security incidents
E8-RA-ML3.9	E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events
handshake Supports (1) expand_less

E8-AH-ML2.12	E8-AH-ML2.12 requires command line process creation events to be centrally logged, creating a reliable log source for server monitoring
link Related (6) expand_less

E8-AC-ML2.8	E8-AC-ML2.8 requires organisations to analyse cyber security events in a timely manner to determine whether they are incidents
E8-AC-ML3.4	E8-AC-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events

E8-AH-ML3.4	E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events

E8-MF-ML2.9	E8-MF-ML2.9 requires timely analysis of cyber security events to identify incidents
E8-MF-ML3.4	E8-MF-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events

E8-RA-ML3.8	E8-RA-ML3.8 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.