ISM-2051 policy ASD Information Security Manual (ISM)

Ensure Event Logs for Cybersecurity Event Detection

Software should create logs to help detect security incidents.

Detective NC OS P ASD Information Security ManualGuidelines for software development logging log evidence

record_voice_over

Plain language

Software should automatically keep a record of important activities and events. This is crucial because if something goes wrong, like a cyberattack or data breach, these logs can help us understand what happened and how to fix it.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2025

Control Stack last updated

18 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Software development fundamentals

Topic

Secure Software Development

Official control statement

Software generates sufficient event logs to support the detection of cyber security events.

policy ASD Information Security Manual (ISM) ISM-2051

priority_high

Why it matters

If software does not generate sufficient event logs, cyber security events may not be detected or investigated, increasing dwell time and impact on organisational assets.

settings

Operational notes

Configure software to generate security-relevant logs (auth, privilege, admin actions, errors) with timestamps and user IDs, and regularly verify coverage and fields needed for detection.

02 - Implement

build

Implementation tips

The IT team should configure software applications to log key events. They can do this by setting up the software's logging options during installation or through the application's settings menu. This ensures that important actions, like user logins and data changes, are recorded.
System owners should routinely check that logging is enabled on all essential systems. They can do this by verifying log files are being updated regularly. This ensures ongoing coverage without gaps that might miss significant incidents.
Managers should create a policy on log retention and review. Work with the IT team to decide how long logs should be kept and how often they should be reviewed for suspicious activity. This helps ensure that logs provide a useful history if needed for an investigation.
The IT team should implement automated alerts for unusual events in logs. Utilise built-in features of the software or additional security tools to notify relevant staff of potential issues. This helps catch problems early by allowing quick responses to anomalies.
HR should train employees on recognising and reporting potential cyber incidents. Include information on the importance of event logs and how their activities might be logged for security purposes. These trainings raise awareness and ensure everyone knows their role in maintaining security.

03 - Audit

fact_check

Audit / evidence tips

AskThe software's logging configuration documentation: Request a report or screenshot showing the current logging settings for key applications. Look to see if logging is enabled for critical actions like logins and data changes GoodIs a detailed configuration showing specific events that are set to be logged
AskA recent log review summary: Request any report or notes from when staff last reviewed event logs GoodIncludes a summary with dates, systems reviewed, and any follow-up actions taken
AskA copy of the log retention policy: Request the document outlining how long logs are kept. Look to ensure it aligns with your organisation’s needs and any legal requirements GoodShows a policy with clear timelines and responsibilities for log management
AskIncident response records that relied on logs: Request examples where logs were used to address or investigate a security incident GoodDemonstrates how logs have informed decisions or investigations
AskTo see the staff training materials on security logging: Request session outlines or presentation slides covering event logging GoodIncludes recent training records showing active engagement with all staff

04 - Mappings

link

Cross-framework mappings

How ISM-2051 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less
Annex A 5.28	ISM-2051 requires event logs sufficient for cyber event detection
handshake Supports (1) expand_less
Annex A 8.16	ISM-2051 mandates generating sufficient event logs for cybersecurity detection
link Related (1) expand_less
Annex A 8.15	ISM-2051 requires that software generates sufficient event logs to support detection of cyber security events

E8

Control	Notes	Details
handshake Supports (1) expand_less

E8-AH-ML2.12	E8-AH-ML2.12 requires organisations to centrally log command line process creation events
extension Depends on (6) expand_less

E8-AC-ML3.4	E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events
E8-AC-ML3.5	E8-AC-ML3.5 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events

E8-AH-ML2.14	E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
E8-AH-ML3.5	E8-AH-ML3.5 requires organisations to analyse workstation event logs in a timely manner

E8-MF-ML3.5	E8-MF-ML3.5 requires timely analysis of workstation event logs to detect cyber security events

E8-RA-ML3.9	E8-RA-ML3.9 requires organisations to analyse workstation event logs in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.