Centralised Logging of Software Errors and Usage
Important software activities and errors are logged to a central system for security tracking.
Plain language
This control is about keeping track of what goes right and wrong in your software by logging errors and important activities to a central location. It matters because if you're not aware of issues, you can't fix them, which can lead to bigger problems like data breaches or software failures that disrupt your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software Event LoggingOfficial control statement
Security-relevant usage, error messages and crashes for software are centrally logged.
Why it matters
Without centralised logging of software errors, crashes and security-relevant usage, incidents may go unseen, delaying detection and causing outages or data compromise.
Operational notes
Configure software to forward errors, crashes and security-relevant usage events to a central log store; monitor/alert on patterns and investigate anomalies promptly.
Implementation tips
- The IT team should set up a central logging system where all software errors and important usage events are recorded. This can be done by integrating logging tools that collect and send data from each software application to a main server where it can be reviewed.
- Managers should ensure that their teams understand the importance of logging software issues. They can achieve this by organising regular training sessions that explain how logging helps catch errors early and prevent larger security incidents.
- IT staff should configure alert mechanisms within the logging system to notify them when certain types of errors or unusual activities occur. This involves setting specific criteria for notifications and ensuring these alerts go to the person who can address the issue immediately.
- Software developers should work with the IT team to identify which activities and errors are security-relevant and need to be logged. This requires reviewing the software’s use cases and potential vulnerabilities to decide what needs to be monitored.
- HR should encourage an organisational culture that reports software issues quickly. This can be fostered by setting up a simple process for staff to report problems, ensuring they know how to do it, and reassuring them that it’s a positive step to improve overall security.
Audit / evidence tips
-
Askthe central logging policy document: Request the policy that outlines how software error and usage logging is handled
Goodincludes a clear responsibility matrix and detailed logging instructions
-
Askaccess to the central logging dashboard
Goodshows a clean interface where different types of events can be reviewed
-
Goodwill have logs with consistent detail that allows for effective issue tracing
-
Aska record of alerts triggered by logging: Look to see if the alerts have effectively notified relevant staff about issues
Goodwould contain a list of alerts with follow-ups showing resolution steps
-
Goodincludes dated training materials and sign-off sheets from attendees
Cross-framework mappings
How ISM-1911 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1911 requires the centralisation of security-relevant software usage, error messages, and crashes | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-1911 mandates centralised logging of software usage, errors, and crashes, which aids the monitoring and evaluation of anomalies under... | |
E8
| Control | Notes | Details |
|---|---|---|
| extension Depends on (3) expand_less | ||
| E8-AH-ML2.15 | E8-AH-ML2.15 requires timely analysis of cyber security events to identify incidents | |
| E8-AC-ML3.4 | E8-AC-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| E8-MF-ML3.4 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.