Central Logging of Non-Internet Network API Data Access
All network API data changes not shared online must be logged centrally.
Plain language
This control means that any time data is changed or accessed through a company's internal systems (not over the internet), these actions need to be recorded centrally. It matters because without keeping track of who accesses or changes important data, a business could be vulnerable to data tampering or breaches, possibly resulting in loss of trust, revenue, or legal issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Network API calls that facilitate modification of data, or access to data not authorised for release into the public domain, but are not accessible over the internet, are centrally logged.
Why it matters
Without central logging of internal (non-internet) API calls that access or modify non-public data, unauthorised access or changes may go undetected, harming integrity and compliance.
Operational notes
Ensure internal (non-internet) APIs log centrally: caller identity, endpoint, timestamp and action (read/modify). Review logs and alert on unusual access to non-public data.
Implementation tips
- The IT team should set up a logging system to capture all internal data access and changes through network APIs. This can be done by configuring the server to automatically record details of every transaction involving data that isn't meant for public access.
- Business owners should discuss with their IT team the types of sensitive data in their network that need monitoring. They can identify critical data points by listing information that should not be public and ensuring they are logged effectively.
- Office managers should ensure staff understand the importance of logging these internal activities. This can be facilitated through training sessions that explain how improper access or changes could impact the business.
- HR should help maintain awareness about data access policies by including logging practices in company policy manuals. This involves updating the employee handbook to include why and how data access activities are logged.
- System administrators should regularly review the central logs to spot unusual access patterns or unauthorized changes. They should be trained to look for anomalies and report them promptly to prevent any potential issues.
Audit / evidence tips
- AskRecent central logs: Request access logs for internal systems over the past month. Look to see if all API accesses are recorded, noting time, user, and specific action taken GoodContains complete records without gaps, showing consistent monitoring
- AskLogging policy documentation: Request the document outlining the logging process for internal data accesses GoodClearly lists all types of accesses that require logging and aligns with internal data security policies
- AskTo see staff training records related to data logging: Request training attendance sheets or materials from recent sessions GoodIncludes proof that staff involved with APIs understand logging importance
- AskA demonstration of the logging system: Request a live demonstration of how logging is set up and monitored. Look to see the system in action and ensure it automatically captures all specified data transactions GoodShows a fully operational system that captures logs in real-time
- AskA list of identified anomalies and response actions: Request records showing how anomalies in logs were addressed GoodShows documented follow-up on all identified issues, demonstrating an active management approach
Cross-framework mappings
How ISM-2015 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-2015 mandates central logging for specific data-affecting non-internet API calls | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-2015 mandates central logging of non-internet API calls that modify or access sensitive data | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-AC-ML2.6 | ISM-2015 requires central logging of non-internet network API calls that modify data or access non-public data | |
| E8-MF-ML2.7 | ISM-2015 requires central logging of non-internet network API calls involving data modification or access to non-public data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.