Timely Analysis of Critical Server Event Logs
Event logs from important servers are quickly reviewed to find security issues.
Plain language
This control is about keeping a close eye on event logs from your important servers to quickly spot any signs of trouble. If you don't regularly check these logs, you might miss early signs of a cyber attack, which could lead to data loss or business disruption.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log MonitoringOfficial control statement
Event logs from critical servers are analysed in a timely manner to detect cyber security events.
Why it matters
If critical server event logs are not analysed promptly, intrusions and misuse may go undetected, leading to data compromise and service outages.
Operational notes
Analyse critical server event logs daily (within 24 hours) via SIEM; investigate anomalies and escalate suspected incidents immediately.
Implementation tips
- System owners should appoint a person or team responsible for log reviewing. This could be an IT professional or an external service provider who is familiar with your server operations. Make sure they know what normal log entries look like so they can spot anything unusual.
- The IT team should establish a schedule for checking event logs, ideally daily or weekly. Use clear, straightforward steps to go through the logs to identify any signs that may indicate a security incident, like unexpected changes or access attempts.
- Business leaders should set aside time for regular training on how to interpret event logs. This can involve quick workshops or online courses to make sure everyone involved understands what to look for and how to respond to potential issues.
- IT teams should create a standard procedure for when unusual activity is detected in logs. This should detail steps on how to report and who to notify, ensuring quick escalation and resolution to minimise potential damage.
Audit / evidence tips
- AskThe log review schedule document: Request to see the documented schedule for regular event log checks GoodIs the existence of a readable schedule with specific dates, times, and names
- AskEvidence of alert handling: Request to see examples of alerts that were acted upon from log reviews GoodIs a folder of incidents with resolution notes and dates
- AskThe list of approved log review tools: Request documentation that lists the software used for log reviews GoodIs a list of tools with their features, setup guides, and an assessment of their effectiveness
- AskTraining records: Request any records or logs of training sessions done for staff involved in log monitoring GoodIncludes detailed attendance records and a summary of topics covered
- AskEscalation procedures: Request the procedure document for responding to anomalies found in logs GoodContains a flowchart or step-by-step instructions with contact names and numbers
Cross-framework mappings
How ISM-1986 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1986 requires event logs from critical servers to be analysed in a timely manner to detect cyber security events | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (11) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (3) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.