Timely Analysis of Security Event Logs
Security event logs are reviewed promptly to identify cyber threats.
Plain language
This control is about keeping a close eye on security events by regularly checking the logs of security systems. It's important because if you don't promptly review these logs, you might miss early signs of a cyber threat like hacking or data breaches. Being timely helps you respond quickly, stopping potential security issues before they become major problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log MonitoringOfficial control statement
Event logs from security products are analysed in a timely manner to detect cyber security events.
Why it matters
Delayed analysis of security logs allows cyber threats to escalate, increasing the risk of significant data breaches or system compromises.
Operational notes
Configure SIEM and security tools to alert on suspicious events in near real time, and perform daily log review with escalation and triage procedures.
Implementation tips
- System owners should regularly allocate time to review security event logs. Perhaps spend an hour each week going through recent logs to look for any unusual activity or repeated errors. This helps catch small issues before they grow.
- The IT team should set up automated alerts for the logs to flag any critical or unusual events. Use simple notifications to email or text staff when something doesn’t look right, so they can take a closer look as needed.
- Managers should schedule monthly meetings with IT to discuss trends in logged events. Review whether specific types of alerts are increasing, and decide if any follow-up actions are required.
- HR should ensure training sessions are available for staff on how to identify basic security threats. This helps everyone understand what could be suspicious, making it easier to report issues promptly.
- Have a regular spot check process: IT and security teams could fast-track the review of random selections of logs. This encourages a continuous state of alertness and ensures nothing slips through the cracks.
Audit / evidence tips
-
Aska sample security log review record: Request to see a recent report of the logs that were reviewed
GoodThe report should clearly list all logs reviewed, highlight any incidents, and indicate follow-up actions
-
GoodDocumented alerts should have clear thresholds and defined recipients for each alert level
-
Askminutes from the monthly meeting discussions: Check notes from these meetings to see how log trends were discussed and decisions made
GoodMeeting minutes should show proactive discussion on trends and specify any actions or changes implemented
-
GoodAttendance logs paired with training materials show comprehensive coverage of relevant topics and good staff participation
-
Askexamples of spot check reviews: Check how spot checks are conducted and their outcomes documented
GoodRecords should demonstrate regular spot check operations, with detail on findings and subsequent security actions
Cross-framework mappings
How ISM-1987 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.16 | ISM-1987 requires timely analysis of event logs from security products to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | Annex A 5.7 requires organisations to collect and analyse information about information security threats to produce actionable threat int... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (5) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.