Ensure Event Logs Are Retained for 12 Months
Keep event logs searchable and accessible for at least 12 months to help in audits or investigations.
Plain language
Keeping digital event logs for at least 12 months means that any records of activities on your computer systems remain accessible for a year, helping you to look into any suspicious behaviour or satisfy regulatory checks. If you don't keep these logs, you might miss critical clues needed to investigate a problem or prove compliance.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log RetentionOfficial control statement
Event logs are retained in a searchable manner for at least 12 months.
Why it matters
Without 12-month log retention, critical incident traces can be lost, hampering investigations and regulatory compliance efforts.
Operational notes
Configure systems to retain searchable event logs for 12 months; periodically test log search and verify retention settings to support investigations and audits.
Implementation tips
- The IT team should ensure that the system settings are configured to retain event logs for 12 months. They can do this by adjusting the log settings in server management tools to store records for the required time period.
- Managers should coordinate with the IT team to review and verify the retention settings regularly. This can be done by adding a monthly check on their calendar to compare current retention settings against policy requirements.
- System administrators should back up event logs securely. They can schedule automatic back-ups to a secure location, like an on-site server or a cloud service, ensuring backup copies are also kept for 12 months.
- Business owners should ensure there is a documented policy for log retention. They should collaborate with IT to draft a clear policy document that outlines the retention period and reasons for it.
- Compliance officers should conduct quarterly reviews to verify log retention practices. They can hold meetings with IT staff to discuss and inspect logs, ensuring logs from at least 12 months ago remain accessible.
Audit / evidence tips
-
Askthe log retention policy document: Request the policy that details how long logs are kept and where they are stored. Look to ensure it specifies a minimum of 12 months retention
Goodincludes a clear policy with details consistent with actual retention practices
-
Aska demonstration of log retrieval from 12 months ago: Request to see logs from a year ago being accessed or retrieved
Goodshows the log data being retrieved swiftly and accurately without errors
-
AskIT maintenance records: Request records of any evaluations or changes to log retention settings
Goodincludes recent records showing checks were done and issues addressed
-
Askbackup records of event logs: Request documentation showing regular backups of event logs
Goodincludes clear, regular logs being backed up to a safe location
-
Askevidence of quarterly review meetings: Request notes or minutes from meetings about log reviews
Goodshows consistent meetings with clear actions or decisions recorded
Cross-framework mappings
How ISM-1988 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1988 requires event logs to be retained in a searchable manner for at least 12 months | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1988 requires event logs to be retained in a searchable manner for at least 12 months | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.