ISM-1960 policy ASD Information Security Manual (ISM)

Timely Analysis of Event Logs for Cybersecurity

Internet-facing device logs are quickly reviewed to find security issues.

Detective NC OS P ASD Information Security ManualGuidelines for system monitoring logging security monitoring

record_voice_over

Plain language

Event logs from devices that connect to the internet are reviewed quickly to catch any security issues. This is important because if someone tries to hack your network or steal your information, the logs might show unusual activity. If these aren't checked regularly, you might miss early warnings and suffer data loss or a cyber incident that could have been prevented.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Event Log Monitoring

Official control statement

Event logs from internet-facing network devices are analysed in a timely manner to detect cyber security events.

policy ASD Information Security Manual (ISM) ISM-1960

priority_high

Why it matters

Delayed analysis of internet-facing device logs can lead to undetected intrusions, resulting in data breaches and compromised network integrity.

settings

Operational notes

Review internet-facing device event logs daily and alert on suspicious activity (e.g., repeated failed logins, config changes), escalating incidents for investigation.

02 - Implement

build

Implementation tips

The IT team should establish a routine for checking event logs from internet-facing devices. They can do this by setting up a daily schedule to review these logs and flagging anything out of the ordinary. This can be done using software that highlights suspicious patterns or manual checks if resources are limited.
Managers should allocate responsibility for log reviews to a specific team member or group. They need to ensure that this person or group is trained to know what to look for, such as unauthorised access attempts, and has the time and resources to do it consistently.
System owners should work with IT staff to ensure all internet-facing devices have logging enabled. They should confirm that logs are being stored securely and are accessible for review without being tampered with. This might involve configuring settings on routers, firewalls, and servers.
IT teams should ensure that the logs cover an adequate period to detect patterns over time. A general rule is to retain logs for at least 90 days. This allows for a window to spot trends or repeated issues that might be missed with shorter logs.
Regularly update the team’s methodology on what to review in the logs based on the latest security threat information. IT and security staff should stay informed through trusted sources, such as the Australian Cyber Security Centre, to keep their approach current.

03 - Audit

fact_check

Audit / evidence tips

AskThe latest event log review schedule: Request to see the calendar or documentation that details when and how often logs are reviewed. Look to ensure a clear schedule is in place with assigned personnel GoodWill show logs are reviewed daily or weekly by named individuals
AskA sample of recent reviewed logs: Obtain logs marked with identified incidents or anomalies
AskDocumentation on log retention policies: Request the policy document that outlines how long logs are kept. Look to ensure it states the retention period and secure storage practices GoodWill match industry standards, such as the recommended 90 days or more
AskTo see the training records for team members responsible for log review: Verify completion of training specific to identifying log integrity and anomalies GoodWill show recent training completion, ideally from credible sources like the Australian Signals Directorate
AskA report on recent security incidents identified through log analysis: Request to see a brief report detailing incidents flagged from logs GoodOutcome indicates rapid identification and mitigation efforts based on the logs

04 - Mappings

link

Cross-framework mappings

How ISM-1960 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
handshake Supports (1) expand_less
Annex A 8.21	ISM-1960 supports Annex A 8.21 by specifying a monitoring technique for internet-facing devices

E8

Control	Notes	Details
sync_alt Partially overlaps (6) expand_less

E8-AC-ML2.7	ISM-1960 requires event logs from internet-facing network devices to be analysed in a timely manner to detect cyber security events
E8-AC-ML3.4	E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers for cyber security event detection

E8-AH-ML2.14	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
E8-AH-ML3.5	E8-AH-ML3.5 addresses timely analysis of workstation event logs to detect cyber security events

E8-RA-ML2.9	ISM-1960 and E8-RA-ML2.9 both require prompt log review for detection
E8-RA-ML3.9	E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events
handshake Supports (1) expand_less

E8-RA-ML2.10	ISM-1960 supports E8-RA-ML2.10 by ensuring timely review of perimeter events
link Related (2) expand_less

E8-AC-ML2.8	E8-AC-ML2.8 requires organisations to analyse cyber security events in a timely manner to identify incidents

E8-MF-ML2.9	E8-MF-ML2.9 requires timely analysis of cybersecurity events to identify incidents

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.