Skip to content
Control Stack logo Control Stack
ISM-1989 ASD Information Security Manual (ISM)

Ensure Event Logs Meet Retention Requirements

Event logs must be kept according to the retention rules set by the National Archives of Australia.

Responsive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Logging and monitoringASD Information Security ManualGovernanceRecords managementRegulatory notification

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Responsive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system monitoring

Section

Event logging and monitoring

Topic

Event Log Retention
Official control statement
Event logs are retained as per minimum retention requirements for various classes of records as set out by the National Archives of Australia's Administrative Functions Disposal Authority Express (AFDA Express) Version 2 publication.

Source: ASD Information Security Manual (ISM)

Plain language

This control ensures that you keep important event logs—records of what happens in your systems—according to rules from the National Archives of Australia. This is crucial because without these records, you might not be able to investigate issues or respond to incidents, potentially leading to non-compliance with regulations or loss of trust from your customers.

Why it matters

If event logs are not retained to AFDA Express V2 minimum periods, investigations and audits may lack evidence, causing disposal breaches and compliance action.

Operational notes

Regularly confirm log retention periods match AFDA Express V2 record classes, and ensure archived logs are protected, searchable, and retrievable for audits.

Implementation tips

  • The IT team should establish a policy that specifies how long different types of event logs must be kept. They can create a document that includes various retention periods as guided by the National Archives of Australia's rules.
  • Managers should ensure that the IT team and relevant staff are aware of and understand the log retention policy. This can be done through regular training sessions that explain the importance of retaining logs and how it ties to organisational compliance.
  • The IT team should configure all relevant systems to automatically archive logs for the required retention period. They can use system settings that allow logs to be saved securely and ensure they are not deleted prematurely.
  • System owners should perform regular checks to ensure that log retention settings are correctly applied. They can do this by reviewing system configurations and retained logs to ensure compliance with the policy.
  • Managers should set a schedule for reviewing and updating the log retention policy to keep it in line with any changes in the rules or the organisation's needs. This review can be done annually, with documented updates made as necessary.

Audit / evidence tips

  • Ask: the event log retention policy document: Request a copy of the document that outlines how long different logs should be kept

    Good: detailed retention schedules that comply with national requirements

  • Ask: recent training records on log retention: Request records of any training sessions held for staff about log retention policies

    Good: would include recent and relevant training with a high participation rate

  • Ask: to see system configuration settings for log retention: Request a demonstration of how systems are set up to retain logs

    Good: successfully applied settings that match the policy

  • Ask: reports that track log retention compliance: Request any reports that show compliance with log retention policies

    Good: would show regular compliance checks with no significant issues

  • Ask: about the log policy review process: Request records or minutes from meetings where log retention policies were reviewed

    Good: shows recent and thorough reviews leading to updates or confirmations of the policy

Cross-framework mappings

How ISM-1989 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially overlaps (1)
Annex A 8.15 ISM-1989 requires event logs to be retained in line with minimum retention periods defined by the National Archives of Australia (AFDA Ex...
Supports (1)
Annex A 5.33 Annex A 5.33 requires records to be protected from loss and destruction, which includes having appropriate retention and preservation arr...

E8

Control Notes Details
Partially overlaps (2)
E8-RA-ML2.6 ISM-1989 requires event logs to be retained according to AFDA Express minimum retention requirements
E8-AH-ML2.11 ISM-1989 requires event logs to be retained according to AFDA Express minimum retention requirements
Supports (3)
E8-AC-ML2.6 ISM-1989 requires event logs to be retained in accordance with AFDA Express minimum retention requirements
E8-MF-ML2.7 ISM-1989 requires retention of event logs in line with AFDA Express minimum retention requirements
E8-AH-ML2.13 ISM-1989 requires event logs to be retained for minimum periods as set out in AFDA Express

Mapping detail

Mapping

Direction

Controls