Annex A 8.15 verified ISO/IEC 27001:2022
Logging of Activities and Events
Keep detailed logs of activities and events to detect attacks and ensure accountability.
Technological controls Detective ISO/IEC 27001:2022audit trailloggingincident detectionprivacypolicy
record_voice_over
Plain language
This control is about keeping a record of all the important activities and events happening in your organisation's computer systems. It's like having a diary for your systems that can help you spot when something's going wrong, like a cyber-attack, and find out who did it. If you don't keep these records, you might not notice problems until it's too late, and you won't have the information you need to fix them or hold anyone accountable.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Detective
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
12 Apr 2026
Maturity levels
N/A
Official control statement
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
verified ISO/IEC 27001:2022 Annex A 8.15
priority_high
Why it matters
Without comprehensive logs, detecting breaches or issues is delayed, increasing the risk of undetected threats and compromised accountability.
settings
Operational notes
Regularly review and analyse logs to promptly identify anomalies or trends, ensuring timely incident response and accountability.
02 — Implement
build
Implementation tips
- The IT manager should set up a logging system that records key activities in the organisation's IT environment. This includes logging whenever someone logs into a system, tries to access restricted files, or changes critical settings. Follow ISO 27002:2022 by documenting which events need logging and ensuring that logs include user IDs, event timestamps, and details about the event.
- Security staff should protect the logs from being altered or erased. This means limiting access to logs to only those who need to see them, possibly using a secure logging system that can't be tampered with by regular users. Techniques like cryptographic hashing (a way of securing data) and write-once-read-many (WORM) storage can help protect these logs.
- A compliance officer or data protection officer should ensure logs don't violate privacy laws. Update the logging policy to mask any sensitive personal data, such as usernames or IP addresses, in accordance with the Australian Privacy Act 1988 and OAIC guidelines before sending the logs to third-party vendors for troubleshooting.
- The IT manager should synchronise time settings across all systems. This can be done by using a central time server to ensure all logs have accurate and consistent timestamps. Consistent timestamps are crucial when analysing logs to identify unusual patterns or potential security incidents.
- The IT security team should regularly review and analyse the logs to spot signs of security breaches. This analysis can involve checking for repeated failed login attempts, unusual data access, or unexpected system changes. Familiarise themselves with the UEBA (User and Entity Behaviour Analytics) tools and other monitoring tools as per ISO 27002:2022 guidance to detect anomalies.
03 — Audit
fact_check
Audit / evidence tips
-
AskRequest the organisation's logging policy documents.
GoodThe logging policy is comprehensive, clearly documented, and aligns with ISO 27002:2022 standards, specifying detailed procedures for log creation and protection.
-
AskRequest access to a sample of logged events.
GoodLogs include detailed entries with consistent and accurate information, reflecting all critical events as mandated by the policy.
-
AskRequest evidence of log protection measures.
GoodImplementation of cryptographic measures, access control measures, and logs stored in append-only formats.
-
AskRequest records of log reviews or analysis reports.
GoodRegularly documented log analysis with outcomes that demonstrate proactive detection and handling of anomalies.
-
AskAsk for time synchronisation records across systems.
GoodPresence of logs or system settings that show synced timestamps, aiding in the correlation of events across different systems.
04 — Mappings
link
Cross-framework mappings
How Annex A 8.15 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (20) expand_less | ||
| handshake Supports (2) expand_less | ||
| extension Depends on (1) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (36) expand_less | ||
| ISM-0261 | ISM-0261 requires organisations to centrally log specific web proxy activity details (such as web address, timestamp, user, data volumes,... | |
| ISM-0565 | ISM-0565 requires email servers to block, log and report emails that have inappropriate protective markings | |
| ISM-0582 | ISM-0582 stipulates centrally logging security-relevant events on Windows systems | |
| ISM-0585 | ISM-0585 requires each logged event to capture specific fields (date/time, user or process, filename, description, and the IT equipment i... | |
| ISM-0634 | ISM-0634 requires security-relevant events for gateways to be centrally logged, specifically covering permitted flows, attempted egress, ... | |
| ISM-0670 | ISM-0670 requires security-relevant events for CDSs to be centrally logged | |
| ISM-1030 | ISM-1030 requires NIDS/NIPS-generated event logs and alerts for gateway traffic that breaches firewall rules | |
| ISM-1213 | ISM-1213 mandates the capture and analysis of full network traffic for seven days post-intrusion remediation for validation | |
| ISM-1509 | ISM-1509 requires that privileged access events are centrally logged to support monitoring and response | |
| ISM-1537 | ISM-1537 requires organisations to centrally log a defined set of security-relevant database events (e.g | |
| ISM-1566 | ISM-1566 requires that use of unprivileged access is centrally logged to provide visibility of non-admin user activity | |
| ISM-1586 | ISM-1586 requires data transfer logs to record all data imports and exports, aligning with Annex A 8.15's broader requirement to produce,... | |
| ISM-1613 | ISM-1613 requires central logging specifically for break glass account usage | |
| ISM-1623 | ISM-1623 requires centralised logging specifically for PowerShell module, script block and transcription events | |
| ISM-1650 | ISM-1650 requires central logging of privileged user account and security group management events | |
| ISM-1683 | ISM-1683 requires successful and unsuccessful MFA events to be centrally logged | |
| ISM-1830 | ISM-1830 requires central logging of security-relevant events specifically for Microsoft AD DS, AD CS, AD FS and Entra Connect servers | |
| ISM-1855 | ISM-1855 requires organisations to centrally log multifunction device (MFD) use for printing, scanning and copying, including capturing s... | |
| ISM-1889 | ISM-1889 requires a specific class of security-relevant logging: centrally recording command line process creation events | |
| ISM-1895 | ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events | |
| ISM-1906 | ISM-1906 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1911 | ISM-1911 requires the centralisation of security-relevant software usage, error messages, and crashes | |
| ISM-1937 | ISM-1937 requires organisations to check Active Directory user accounts at least weekly for the presence of the sIDHistory attribute, whi... | |
| ISM-1959 | ISM-1959 requires that, to the extent possible, event logs are captured and stored in a consistent and structured format | |
| ISM-1963 | ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged | |
| ISM-1964 | ISM-1964 requires security-relevant events for non-internet-facing network devices to be centrally logged | |
| ISM-1978 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
| ISM-1979 | ISM-1979 requires security-relevant events for server applications on non-internet-facing servers to be centrally logged | |
| ISM-1983 | ISM-1983 requires event logs to be sent to a centralised event logging facility as soon as possible after they occur | |
| ISM-1985 | ISM-1985 requires that event logs are protected from unauthorised access | |
| ISM-1986 | ISM-1986 requires event logs from critical servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1987 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |
| ISM-1988 | ISM-1988 requires event logs to be retained in a searchable manner for at least 12 months | |
| ISM-2015 | ISM-2015 mandates central logging for specific data-affecting non-internet API calls | |
| ISM-2052 | ISM-2052 requires that event logs produced by software protect any sensitive data contained within them | |
| ISM-2089 | ISM-2089 requires organisations to monitor AI model performance metrics and investigate anomalies | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0580 | Annex A 8.15 requires that logs are produced, stored, protected, and analysed to support detection and accountability | |
| ISM-1405 | ISM-1405 requires a centralised event logging facility to collect and manage event logs in one location | |
| ISM-1989 | ISM-1989 requires event logs to be retained in line with minimum retention periods defined by the National Archives of Australia (AFDA Ex... | |
| ISM-2046 | ISM-2046 requires secure logging practices in impersonation scenarios, such as preventing sensitive data from being logged and ensuring a... | |
| handshake Supports (10) expand_less | ||
| ISM-0138 | ISM-0138 mandates evidentiary integrity through documentation of actions and chain of custody | |
| ISM-0988 | Annex A 8.15 necessitates logs to be produced and analysed for detection, investigation, and accountability | |
| ISM-1341 | ISM-1341 requires implementing HIPS or EDR on workstations, which typically generates detailed endpoint security and process/activity tel... | |
| ISM-1526 | ISM-1526 requires system owners to monitor each system and associated cyber threats, risks and controls on an ongoing basis | |
| ISM-1611 | ISM-1611 mandates break glass accounts for emergency use only, implying the organisation should detect and investigate any non-emergency use | |
| ISM-1634 | ISM-1634 focuses on tailoring system controls so the implemented control set achieves the system’s desired security and resilience outcomes | |
| ISM-1805 | ISM-1805 requires organisations to identify signs of a DoS attack and help identify its source for video conferencing and IP telephony se... | |
| ISM-1941 | ISM-1941 requires preventing computer accounts from being members of highly privileged AD groups (e.g | |
| ISM-1984 | ISM-1984 requires that event logs forwarded to a centralised event logging facility are encrypted in transit to protect them against inte... | |
| ISM-2094 | ISM-2094 requires AI applications to filter content to detect and block sensitive data exposure and improper output | |
| extension Depends on (1) expand_less | ||
| ISM-1228 | ISM-1228 requires organisations to analyse cyber security events promptly to identify incidents | |
| link Related (1) expand_less | ||
| ISM-2051 | ISM-2051 requires that software generates sufficient event logs to support detection of cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.