Skip to content
arrow_back
ISM-1963
search
ISM-1963 policy ASD Information Security Manual (ISM)

Central Logging of Events on Internet-Facing Devices

Important events on internet-connected network devices are logged in a central location for security.

Detective NC OS P ASD Information Security ManualGuidelines for networkingloggingsecurity monitoring
record_voice_over

Plain language

This control is about keeping a watchful eye on important activities that happen on your internet-connected devices, like routers and firewalls, by recording these activities in a central place. It's crucial because if you don't keep track of these events, you might miss early signs of a cyber attack, leading to data breaches or service disruptions.

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for networking

Section

Network design and configuration

Topic

Network Device Event Logging

Official control statement

Security-relevant events for internet-facing network devices are centrally logged.
policy ASD Information Security Manual (ISM) ISM-1963
priority_high

Why it matters

Without central logging of internet-facing devices, early signs of attacks can be missed, leading to undetected breaches and significant disruptions.

settings

Operational notes

Forward security events from all internet-facing network devices to a central log platform (e.g., SIEM), validate time sync, and alert on failed logins, config changes and blocked traffic.

build

Implementation tips

  • IT team should configure network devices to send logs to a central logging system. They can do this by accessing the device's settings and entering the address of the central logging system, which can be a server or a service dedicated to storing and managing logs.
  • The IT manager should ensure the central logging system is regularly monitored. This can be done by assigning specific staff to review logs daily or using alerts for unusual activities. Ensure the team knows how to identify and react to suspicious activity.
  • System owners should work with the IT team to identify which events need logging. They should make a list of key events (like failed login attempts or configuration changes) and ensure these are tracked. Regular meetings can help fine-tune what events are logged.
  • IT team should check the logging system's capacity and reliability. They need to make sure the system can store enough data and is protected against cyber threats. They can set up regular tests to ensure it's functioning well.
  • The IT team should implement regular training sessions for staff who use the logging system. This training should focus on how to access the logs, interpret them, and escalate concerns if suspicious activities are noticed.
fact_check

Audit / evidence tips

  • AskThe central logging system's configuration records: Request documentation showing setup and settings for logging from internet-facing devices GoodShould show all critical devices listed and a comprehensive set of events being logged
  • AskTo see recent log files or reports: Request a sample of recent logs captured by the central logging system GoodShows regular, meaningful logs that match significant network activities
  • AskIncident response procedures: Request the procedures for investigating logged events GoodIncludes well-defined steps and assigned responsibilities for handling different types of events
  • AskTraining records: Request documentation of staff training sessions on the logging system GoodShows regular training sessions with relevant staff attending
  • AskLog review records: Request records of when the logs were reviewed and by whom GoodIncludes detailed logs of reviews and appropriate follow-ups on any anomalies found
link

Cross-framework mappings

How ISM-1963 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.15 ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged
handshake Supports (2) expand_less
Annex A 8.16 ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged
Annex A 8.20 ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged

E8

Control Notes Details
sync_alt Partially overlaps (1) expand_less
E8-AH-ML2.14 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls