Ensure Event Logs Meet Retention Requirements
Event logs must be kept according to the retention rules set by the National Archives of Australia.
Plain language
This control ensures that you keep important event logs—records of what happens in your systems—according to rules from the National Archives of Australia. This is crucial because without these records, you might not be able to investigate issues or respond to incidents, potentially leading to non-compliance with regulations or loss of trust from your customers.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringTopic
Event Log RetentionOfficial control statement
Event logs are retained as per minimum retention requirements for various classes of records as set out by the National Archives of Australia's Administrative Functions Disposal Authority Express (AFDA Express) Version 2 publication.
Why it matters
If event logs are not retained to AFDA Express V2 minimum periods, investigations and audits may lack evidence, causing disposal breaches and compliance action.
Operational notes
Regularly confirm log retention periods match AFDA Express V2 record classes, and ensure archived logs are protected, searchable, and retrievable for audits.
Implementation tips
- The IT team should establish a policy that specifies how long different types of event logs must be kept. They can create a document that includes various retention periods as guided by the National Archives of Australia's rules.
- Managers should ensure that the IT team and relevant staff are aware of and understand the log retention policy. This can be done through regular training sessions that explain the importance of retaining logs and how it ties to organisational compliance.
- The IT team should configure all relevant systems to automatically archive logs for the required retention period. They can use system settings that allow logs to be saved securely and ensure they are not deleted prematurely.
- System owners should perform regular checks to ensure that log retention settings are correctly applied. They can do this by reviewing system configurations and retained logs to ensure compliance with the policy.
- Managers should set a schedule for reviewing and updating the log retention policy to keep it in line with any changes in the rules or the organisation's needs. This review can be done annually, with documented updates made as necessary.
Audit / evidence tips
-
Askthe event log retention policy document: Request a copy of the document that outlines how long different logs should be kept
Gooddetailed retention schedules that comply with national requirements
-
Askrecent training records on log retention: Request records of any training sessions held for staff about log retention policies
Goodwould include recent and relevant training with a high participation rate
-
Askto see system configuration settings for log retention: Request a demonstration of how systems are set up to retain logs
Goodsuccessfully applied settings that match the policy
-
Askreports that track log retention compliance: Request any reports that show compliance with log retention policies
Goodwould show regular compliance checks with no significant issues
-
Askabout the log policy review process: Request records or minutes from meetings where log retention policies were reviewed
Goodshows recent and thorough reviews leading to updates or confirmations of the policy
Cross-framework mappings
How ISM-1989 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.15 | ISM-1989 requires event logs to be retained in line with minimum retention periods defined by the National Archives of Australia (AFDA Ex... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.33 | Annex A 5.33 requires records to be protected from loss and destruction, which includes having appropriate retention and preservation arr... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML2.6 | ISM-1989 requires event logs to be retained according to AFDA Express minimum retention requirements | |
| E8-AH-ML2.11 | ISM-1989 requires event logs to be retained according to AFDA Express minimum retention requirements | |
| handshake Supports (3) expand_less | ||
| E8-AC-ML2.6 | ISM-1989 requires event logs to be retained in accordance with AFDA Express minimum retention requirements | |
| E8-MF-ML2.7 | ISM-1989 requires retention of event logs in line with AFDA Express minimum retention requirements | |
| E8-AH-ML2.13 | ISM-1989 requires event logs to be retained for minimum periods as set out in AFDA Express | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.