Ensure Encryption of Event Logs in Transit
Event logs must be encrypted when being sent to a central system to protect sensitive information.
Plain language
When your business sends event logs, which track what happens on your systems, to a central location for review, you need to make sure they are sent securely. This is important because if these logs are intercepted, sensitive information could be exposed, leaving your company vulnerable to cyber attacks or data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringOfficial control statement
Event logs sent to a centralised event logging facility are encrypted in transit.
Why it matters
If event logs are sent without encryption, attackers can intercept or alter them, exposing sensitive details and undermining incident detection.
Operational notes
Enforce TLS for log forwarding, validate certificates, and alert on any plaintext syslog/log traffic to the central logging facility.
Implementation tips
- The IT team should configure encryption for event logs in transit. To do this, they can use secure protocols like TLS (Transport Layer Security) when setting up systems that send logs to the central logging facility. This ensures that data is protected during its journey across networks.
- System owners should work with the IT team to review current logging practices. They should list all systems that send logs and verify that encryption is applied consistently. This might involve checking server settings or reviewing documentation from software providers to understand encryption capabilities.
- Managers should ensure staff are aware of the importance of encrypting logs. Hold a short briefing to explain what event logs are, why they contain sensitive information, and how encryption keeps the business safe. Use non-technical language and real-world examples to make it clear.
- Procurement officers should ensure that any new systems purchased have built-in support for encrypted log transmissions. They should request documentation from vendors confirming this capability and discuss it during procurement meetings to avoid acquiring non-compliant systems.
- The IT lead should periodically test encrypted log transmissions. They can use tools to check that event logs are indeed encrypted during transit, and to verify that any flaws in configuration are identified and corrected promptly. Regular test reports should be kept as part of the security records.
Audit / evidence tips
-
Askprotocols and configurations: Request detailed documentation showing how event logs are encrypted in transit
Goodincludes clear, dated records showing encryption is set up and active
-
Aska log of encryption tests: Review reports of any tests conducted to check the encryption of logs
-
Askstaff training records: Review any materials or schedules used to educate staff about log encryption
-
Askprocurement meeting minutes: Check discussions about encryption capabilities of newly acquired systems
Goodincludes documented decisions where encryption features are confirmed
-
Askvendor compliance documentation: Request compliance certificates or statements from vendors proving that their systems support encrypted log transmissions
Goodincludes verified authenticity and conformity to encryption standards
Cross-framework mappings
How ISM-1984 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1984 requires a specific cryptographic use case: encrypt event log traffic while it is in transit to a centralised logging facility | |
| handshake Supports (3) expand_less | ||
| Annex A 5.28 | ISM-1984 requires event logs to be encrypted in transit to a centralised logging facility, helping preserve the integrity and confidentia... | |
| Annex A 8.15 | ISM-1984 requires that event logs forwarded to a centralised event logging facility are encrypted in transit to protect them against inte... | |
| Annex A 8.20 | ISM-1984 requires encryption in transit for event logs sent over networks to a centralised event logging facility, directly reducing the ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.