ISM-1976 policy ASD Information Security Manual (ISM)

Central Logging of Security Events on macOS

Ensure security events on macOS systems are logged centrally for monitoring.

Detective NC OS P ASD Information Security ManualGuidelines for system hardening logging security monitoring policy

record_voice_over

Plain language

This control means that important security-related activities on your Apple computers (macOS) should be reported to a central location so they can be closely watched. This is vital because if these activities are not tracked, you might miss signs of a cyber attack, which could lead to data loss or damage to your reputation.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Operating system hardening

Topic

Operating System Event Logging

Official control statement

Security-relevant events for Apple macOS operating systems are centrally logged.

policy ASD Information Security Manual (ISM) ISM-1976

priority_high

Why it matters

Without central logging of macOS security events, threats may go unnoticed, leading to potential breaches and data theft.

settings

Operational notes

Regularly confirm macOS security logs are forwarded to the central log server/SIEM; investigate gaps, failed forwarding, and time sync issues promptly.

02 - Implement

build

Implementation tips

The IT team should set up a logging system: They need to find software that can collect security-related information from all macOS computers. This can be done by installing a central logging tool that gathers logs and sends them to a secure location for monitoring.
The IT manager should ensure compliance: They need to establish policies that require all macOS devices in the organisation to participate in central logging. This involves communicating the importance of logging to all users and ensuring they follow the policy.
The system administrator should configure macOS devices: They need to set up each device to ensure it sends the correct logs to the central server. This could involve changing settings in macOS to enable and direct logs as needed.
The security team should routinely check logs: They need to regularly review the logs collected in the central server to spot any unusual activity. This can be done using tools that highlight suspicious behaviour or patterns.
The procurement team should select appropriate software: They need to purchase or subscribe to a reliable logging and monitoring solution that suits the organisation’s needs. This involves researching options, getting quotes, and discussing needs with the IT team.

03 - Audit

fact_check

Audit / evidence tips

AskThe central logging policy document: Request to see the policy that states all macOS devices must log security events centrally GoodA recent policy document shared with all relevant staff
AskA sample of recent logs: Request logs from the central logging system for a specified recent period GoodLogs that include timestamps, device IDs, and event details
AskThe list of monitoring tools used: Request a list of software and tools used for central logging and monitoring GoodA comprehensive list with information on deployment and current usage
AskAccess review reports: Request reports showing reviews of the central logging access permissions GoodA report showing limited access to authorised personnel only
AskEvidence of security training: Request records or schedules of training provided to staff about the importance of central logging GoodTraining logs showing recent sessions attended by IT and security teams

04 - Mappings

link

Cross-framework mappings

How ISM-1976 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.16	ISM-1976 requires security-relevant events for Apple macOS operating systems to be centrally logged
handshake Supports (1) expand_less
Annex A 5.28	ISM-1976 requires security-relevant events on macOS to be centrally logged, improving availability and consistency of audit trails

E8

Control	Notes	Details
sync_alt Partially overlaps (5) expand_less

E8-AC-ML2.5	ISM-1976 requires security-relevant events on Apple macOS systems to be centrally logged for monitoring
E8-AC-ML2.6	ISM-1976 requires central logging of macOS security events

E8-MF-ML2.6	ISM-1976 requires central logging of security-relevant events on macOS systems

E8-RA-ML2.6	ISM-1976 requires central logging of security-relevant events on macOS endpoints
E8-RA-ML2.7	ISM-1976 requires central logging of security-relevant events on macOS systems
handshake Supports (2) expand_less

E8-AH-ML2.12	E8-AH-ML2.12 requires centralised logging of command line process creation to detect suspicious execution

E8-MF-ML3.5	ISM-1976 requires macOS security event logs to be centrally collected so they are available for monitoring

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.