Protect Event Logs from Unauthorised Access
Ensure that only authorised individuals can view or access event logs.
Plain language
Protecting event logs means keeping a close eye on who can see or change the digital records of what happens in your systems. If unauthorised people access these logs, they could cover up harmful activities or misuse sensitive information, leading to trust issues and potential harm to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringOfficial control statement
Event logs are protected from unauthorised access.
Why it matters
If event logs are not protected, attackers can alter or delete entries to hide activity, undermining investigations and causing reputational damage.
Operational notes
Audit and restrict event log access (read/export/delete) to approved roles only, and regularly review permissions to detect and remove unauthorised access.
Implementation tips
- System administrators should set up permissions to make sure only certain trusted staff can view or manage event logs. Do this by using the system's built-in tools to create accounts with the right level of access, ensuring only those who need to see these logs can do so.
-
Goodway to do this is by asking for and reviewing a list of authorised users and seeing how it matches up with current team members. Update this list promptly if there are staff changes
- IT teams should encrypt event logs, which means coding them in a way that only permitted users can read or change the information. Use encryption features provided in security software to ensure data is protected from prying eyes.
- Business owners should invest in training so staff understand the importance of protecting event logs. Organise regular training sessions to remind everyone of the risks and teach them how to handle logs safely.
- Regularly audit or review the event logs access by asking an external consultant for an unbiased security check-up. This can help spot any unauthorised access early and ensure that your systems are as safe as possible from potential threats.
Audit / evidence tips
-
Askthe user access list: Request the list of all users who have permission to access event logs
Goodthe list is up-to-date and matches current roles in the organisation
-
Askto see the log configuration settings: Search for evidence that only authorised staff have permissions to access these settings. Good evidence includes documentation showing explicitly who has been granted these permissions and why
-
Askthe training records on log security: Review documents or certifications indicating staff have completed training
Goodall relevant staff have current training records
-
Askthe encryption status of event logs: Request documentation that proves logs are being encrypted
Goodclear evidence that encryption is active and consistently applied
-
Askto review any recent security audits: Examine the results, particularly noting any findings about log security
Goodincludes timely response actions and resolved security concerns
Cross-framework mappings
How ISM-1985 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-1985 requires restricting who can access event logs to authorised individuals | |
| Annex A 8.3 | ISM-1985 requires event logs to be protected from unauthorised access | |
| Annex A 8.15 | ISM-1985 requires that event logs are protected from unauthorised access | |
| link Related (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected from loss, destruction, falsification, unauthorised access and unauthorised release | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML2.13 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion | |
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AC-ML2.6 | E8-AC-ML2.6 requires event logs to be protected from unauthorised modification and deletion, focusing on preventing tampering and removal | |
| E8-RA-ML2.8 | E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.