Timely Analysis of Network Device Event Logs
Analyse logs from internal network devices quickly to detect security events.
Plain language
This control is about regularly checking the logs from your organisation's network devices-like routers and switches-to spot any unusual or suspicious activity. If this isn't done, potential security threats could go unnoticed, leaving your business vulnerable to attacks or data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log MonitoringOfficial control statement
Event logs from non-internet-facing network devices are analysed in a timely manner to detect cyber security events.
Why it matters
Failure to analyse network device logs promptly can allow undetected intrusions, leading to data breaches or loss of critical business assets.
Operational notes
Review non-internet-facing network device event logs daily and alert on auth failures, config changes and unusual admin access; tune rules and escalate suspected incidents promptly.
Implementation tips
- The IT team should regularly check logs from network devices to look for unusual patterns. This involves setting a schedule to review logs at least weekly and using tools that can highlight unexpected activity.
- Managers should ensure that the IT team is trained to recognise potential security events in network logs. Arrange regular training sessions to keep the team updated on the latest threats and log analysis techniques.
- The IT team should automate log analysis where possible using available tools. Set up automated alerts that notify the team of specific key indicators of potential breaches, saving time and increasing effectiveness.
- A dedicated staff member should be assigned responsibility for log monitoring. Choose someone from the IT team to be the 'log champion'-this person will ensure daily reviews and be the first point of contact for any issues.
- System owners should periodically meet with the IT team to review log findings. Arrange quarterly meetings to discuss any trends or patterns identified, and adjust security measures as needed.
Audit / evidence tips
- AskEvidence of log review schedules: Request the documented schedule of when log reviews occur GoodA clear log showing dates and times of reviews, occurring at least weekly
- AskTo see the automated alert setup: Request a demonstration or screen captures showing automated alerts for log anomalies GoodWell-configured alerts in line with organisational needs and risks
- AskTraining records: Request certificates or internal records showing IT log analysis training GoodRecent and relevant training attended by all key IT staff
- AskDocumentation of log review findings: Request reports or summaries from past log reviews GoodClear reports highlighting findings and remedial actions
- AskRecords of IT and management review meetings: Request minutes or notes from meetings between IT staff and management about log reviews GoodRegular meetings with actionable conclusions documented
Cross-framework mappings
How ISM-1961 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (9) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.