Ensure Event Logs for Cybersecurity Event Detection
Software should create logs to help detect security incidents.
Plain language
Software should automatically keep a record of important activities and events. This is crucial because if something goes wrong, like a cyberattack or data breach, these logs can help us understand what happened and how to fix it.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Software generates sufficient event logs to support the detection of cyber security events.
Why it matters
If software does not generate sufficient event logs, cyber security events may not be detected or investigated, increasing dwell time and impact on organisational assets.
Operational notes
Configure software to generate security-relevant logs (auth, privilege, admin actions, errors) with timestamps and user IDs, and regularly verify coverage and fields needed for detection.
Implementation tips
- The IT team should configure software applications to log key events. They can do this by setting up the software's logging options during installation or through the application's settings menu. This ensures that important actions, like user logins and data changes, are recorded.
- System owners should routinely check that logging is enabled on all essential systems. They can do this by verifying log files are being updated regularly. This ensures ongoing coverage without gaps that might miss significant incidents.
- Managers should create a policy on log retention and review. Work with the IT team to decide how long logs should be kept and how often they should be reviewed for suspicious activity. This helps ensure that logs provide a useful history if needed for an investigation.
- The IT team should implement automated alerts for unusual events in logs. Utilize built-in features of the software or additional security tools to notify relevant staff of potential issues. This helps catch problems early by allowing quick responses to anomalies.
- HR should train employees on recognising and reporting potential cyber incidents. Include information on the importance of event logs and how their activities might be logged for security purposes. These trainings raise awareness and ensure everyone knows their role in maintaining security.
Audit / evidence tips
-
Askthe software's logging configuration documentation: Request a report or screenshot showing the current logging settings for key applications. Look to see if logging is enabled for critical actions like logins and data changes
Goodis a detailed configuration showing specific events that are set to be logged
-
Aska recent log review summary: Request any report or notes from when staff last reviewed event logs
Goodincludes a summary with dates, systems reviewed, and any follow-up actions taken
-
Aska copy of the log retention policy: Request the document outlining how long logs are kept. Look to ensure it aligns with your organisation’s needs and any legal requirements
Goodshows a policy with clear timelines and responsibilities for log management
-
Askincident response records that relied on logs: Request examples where logs were used to address or investigate a security incident
Gooddemonstrates how logs have informed decisions or investigations
-
Askto see the staff training materials on security logging: Request session outlines or presentation slides covering event logging
Goodincludes recent training records showing active engagement with all staff
Cross-framework mappings
How ISM-2051 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.28 | ISM-2051 requires event logs sufficient for cyber event detection | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-2051 mandates generating sufficient event logs for cybersecurity detection | |
| link Related (1) expand_less | ||
| Annex A 8.15 | ISM-2051 requires that software generates sufficient event logs to support detection of cyber security events | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| extension Depends on (6) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.