Skip to content
arrow_back
ISM-1985
search
ISM-1985 policy ASD Information Security Manual (ISM)

Protect Event Logs from Unauthorised Access

Ensure that only authorised individuals can view or access event logs.

Preventative NC OS P ASD Information Security ManualGuidelines for system monitoringaccess controllogging
record_voice_over

Plain language

Protecting event logs means keeping a close eye on who can see or change the digital records of what happens in your systems. If unauthorised people access these logs, they could cover up harmful activities or misuse sensitive information, leading to trust issues and potential harm to your business.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2024

Control Stack last updated

19 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Centralised Event Logging Facility

Official control statement

Event logs are protected from unauthorised access.
policy ASD Information Security Manual (ISM) ISM-1985
priority_high

Why it matters

If event logs are not protected, attackers can alter or delete entries to hide activity, undermining investigations and causing reputational damage.

settings

Operational notes

Audit and restrict event log access (read/export/delete) to approved roles only, and regularly review permissions to detect and remove unauthorised access.

build

Implementation tips

  • System administrators should set up permissions to make sure only certain trusted staff can view or manage event logs. Do this by using the system's built-in tools to create accounts with the right level of access, ensuring only those who need to see these logs can do so.
  • IT teams should encrypt event logs, which means coding them in a way that only permitted users can read or change the information. Use encryption features provided in security software to ensure data is protected from prying eyes.
  • Business owners should invest in training so staff understand the importance of protecting event logs. Organise regular training sessions to remind everyone of the risks and teach them how to handle logs safely.
  • Regularly audit or review the event logs access by asking an external consultant for an unbiased security check-up. This can help spot any unauthorised access early and ensure that your systems are as safe as possible from potential threats.
fact_check

Audit / evidence tips

  • AskThe user access list: Request the list of all users who have permission to access event logs GoodThe list is up-to-date and matches current roles in the organisation
  • AskTo see the log configuration settings: Search for evidence that only authorised staff have permissions to access these settings. Good evidence includes documentation showing explicitly who has been granted these permissions and why
  • AskThe training records on log security: Review documents or certifications indicating staff have completed training GoodAll relevant staff have current training records
  • AskThe encryption status of event logs: Request documentation that proves logs are being encrypted GoodClear evidence that encryption is active and consistently applied
  • AskTo review any recent security audits: Examine the results, particularly noting any findings about log security GoodIncludes timely response actions and resolved security concerns
link

Cross-framework mappings

How ISM-1985 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (3) expand_less
Annex A 5.15 ISM-1985 requires restricting who can access event logs to authorised individuals
Annex A 8.3 ISM-1985 requires event logs to be protected from unauthorised access
Annex A 8.15 ISM-1985 requires that event logs are protected from unauthorised access
link Related (1) expand_less
Annex A 5.33 Annex A 5.33 requires records to be protected from loss, destruction, falsification, unauthorised access and unauthorised release

E8

Control Notes Details
layers Partially meets (1) expand_less
E8-AH-ML2.13 E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion
sync_alt Partially overlaps (2) expand_less
E8-AC-ML2.6 E8-AC-ML2.6 requires event logs to be protected from unauthorised modification and deletion, focusing on preventing tampering and removal
E8-RA-ML2.8 E8-RA-ML2.8 requires event logs to be protected from unauthorised modification and deletion

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls