Logging of Activities and Events
Keep detailed logs of activities and events to detect attacks and ensure accountability.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Detective
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
Source: ISO/IEC 27001:2022
Plain language
This control is about keeping a record of all the important activities and events happening in your organisation's computer systems. It's like having a diary for your systems that can help you spot when something's going wrong, like a cyber-attack, and find out who did it. If you don't keep these records, you might not notice problems until it's too late, and you won't have the information you need to fix them or hold anyone accountable.
Why it matters
Without comprehensive logs, detecting breaches or issues is delayed, increasing the risk of undetected threats and compromised accountability.
Operational notes
Regularly review and analyse logs to promptly identify anomalies or trends, ensuring timely incident response and accountability.
Implementation tips
- The IT manager should set up a logging system that records key activities in the organisation's IT environment. This includes logging whenever someone logs into a system, tries to access restricted files, or changes critical settings. Follow ISO 27002:2022 by documenting which events need logging and ensuring that logs include user IDs, event timestamps, and details about the event.
- Security staff should protect the logs from being altered or erased. This means limiting access to logs to only those who need to see them, possibly using a secure logging system that can't be tampered with by regular users. Techniques like cryptographic hashing (a way of securing data) and write-once-read-many (WORM) storage can help protect these logs.
- A compliance officer or data protection officer should ensure logs don't violate privacy laws. Update the logging policy to mask any sensitive personal data, such as usernames or IP addresses, in accordance with the Australian Privacy Act 1988 and OAIC guidelines before sending the logs to third-party vendors for troubleshooting.
- The IT manager should synchronise time settings across all systems. This can be done by using a central time server to ensure all logs have accurate and consistent timestamps. Consistent timestamps are crucial when analysing logs to identify unusual patterns or potential security incidents.
- The IT security team should regularly review and analyse the logs to spot signs of security breaches. This analysis can involve checking for repeated failed login attempts, unusual data access, or unexpected system changes. Familiarise themselves with the UEBA (User and Entity Behaviour Analytics) tools and other monitoring tools as per ISO 27002:2022 guidance to detect anomalies.
Audit / evidence tips
-
Ask: Request the organisation's logging policy documents.
Good: The logging policy is comprehensive, clearly documented, and aligns with ISO 27002:2022 standards, specifying detailed procedures for log creation and protection.
-
Ask: Request access to a sample of logged events.
Good: Logs include detailed entries with consistent and accurate information, reflecting all critical events as mandated by the policy.
-
Ask: Request evidence of log protection measures.
Good: Implementation of cryptographic measures, access control measures, and logs stored in append-only formats.
-
Ask: Request records of log reviews or analysis reports.
Good: Regularly documented log analysis with outcomes that demonstrate proactive detection and handling of anomalies.
-
Ask: Ask for time synchronisation records across systems.
Good: Presence of logs or system settings that show synced timestamps, aiding in the correlation of events across different systems.
Cross-framework mappings
How Annex A 8.15 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (15) | ||
| Supports (1) | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (36) | ||
| ISM-0261 | ISM-0261 requires organisations to centrally log specific web proxy activity details (such as web address, timestamp, user, data volumes,... | |
| ISM-0565 | ISM-0565 requires email servers to block, log and report emails that have inappropriate protective markings | |
| ISM-0582 | ISM-0582 stipulates centrally logging security-relevant events on Windows systems | |
| ISM-0585 | ISM-0585 requires each logged event to capture specific fields (date/time, user or process, filename, description, and the IT equipment i... | |
| ISM-0634 | ISM-0634 requires security-relevant events for gateways to be centrally logged, specifically covering permitted flows, attempted egress, ... | |
| ISM-0670 | ISM-0670 requires security-relevant events for CDSs to be centrally logged | |
| ISM-1030 | ISM-1030 requires NIDS/NIPS-generated event logs and alerts for gateway traffic that breaches firewall rules | |
| ISM-1213 | ISM-1213 mandates the capture and analysis of full network traffic for seven days post-intrusion remediation for validation | |
| ISM-1509 | ISM-1509 requires that privileged access events are centrally logged to support monitoring and response | |
| ISM-1537 | ISM-1537 requires organisations to centrally log a defined set of security-relevant database events (e.g | |
| ISM-1566 | ISM-1566 requires that use of unprivileged access is centrally logged to provide visibility of non-admin user activity | |
| ISM-1586 | ISM-1586 requires data transfer logs to record all data imports and exports, aligning with Annex A 8.15's broader requirement to produce,... | |
| ISM-1613 | ISM-1613 requires central logging specifically for break glass account usage | |
| ISM-1623 | ISM-1623 requires centralised logging specifically for PowerShell module, script block and transcription events | |
| ISM-1650 | ISM-1650 requires central logging of privileged user account and security group management events | |
| ISM-1683 | ISM-1683 requires successful and unsuccessful MFA events to be centrally logged | |
| ISM-1830 | ISM-1830 requires central logging of security-relevant events specifically for Microsoft AD DS, AD CS, AD FS and Entra Connect servers | |
| ISM-1855 | ISM-1855 requires organisations to centrally log multifunction device (MFD) use for printing, scanning and copying, including capturing s... | |
| ISM-1889 | ISM-1889 requires a specific class of security-relevant logging: centrally recording command line process creation events | |
| ISM-1895 | ISM-1895 requires central logging of successful and unsuccessful single-factor authentication events | |
| ISM-1906 | ISM-1906 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1911 | ISM-1911 requires the centralisation of security-relevant software usage, error messages, and crashes | |
| ISM-1937 | ISM-1937 requires organisations to check Active Directory user accounts at least weekly for the presence of the sIDHistory attribute, whi... | |
| ISM-1959 | ISM-1959 requires that, to the extent possible, event logs are captured and stored in a consistent and structured format | |
| ISM-1963 | ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged | |
| ISM-1964 | ISM-1964 requires security-relevant events for non-internet-facing network devices to be centrally logged | |
| ISM-1978 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
| ISM-1979 | ISM-1979 requires security-relevant events for server applications on non-internet-facing servers to be centrally logged | |
| ISM-1983 | ISM-1983 requires event logs to be sent to a centralised event logging facility as soon as possible after they occur | |
| ISM-1985 | ISM-1985 requires that event logs are protected from unauthorised access | |
| ISM-1986 | ISM-1986 requires event logs from critical servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1987 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |
| ISM-1988 | ISM-1988 requires event logs to be retained in a searchable manner for at least 12 months | |
| ISM-2015 | ISM-2015 mandates central logging for specific data-affecting non-internet API calls | |
| ISM-2052 | ISM-2052 requires that event logs produced by software protect any sensitive data contained within them | |
| ISM-2089 | ISM-2089 requires organisations to monitor AI model performance metrics and investigate anomalies | |
| Partially overlaps (4) | ||
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-1405 | ISM-1405 requires a centralised event logging facility to collect and manage event logs in one location | |
| ISM-1989 | ISM-1989 requires event logs to be retained in line with minimum retention periods defined by the National Archives of Australia (AFDA Ex... | |
| ISM-2046 | ISM-2046 requires secure logging practices in impersonation scenarios, such as preventing sensitive data from being logged and ensuring a... | |
| Supports (9) | ||
| ISM-0138 | ISM-0138 mandates evidentiary integrity through documentation of actions and chain of custody | |
| ISM-0988 | ISM-0988 requires an accurate and consistent time source to be used for event logging to ensure timestamps are trustworthy | |
| ISM-1341 | ISM-1341 requires implementing HIPS or EDR on workstations, which typically generates detailed endpoint security and process/activity tel... | |
| ISM-1526 | ISM-1526 requires system owners to monitor each system and associated cyber threats, risks and controls on an ongoing basis | |
| ISM-1611 | ISM-1611 mandates break glass accounts for emergency use only, implying the organisation should detect and investigate any non-emergency use | |
| ISM-1805 | ISM-1805 requires organisations to identify signs of a DoS attack and help identify its source for video conferencing and IP telephony se... | |
| ISM-1941 | ISM-1941 requires preventing computer accounts from being members of highly privileged AD groups (e.g | |
| ISM-1984 | ISM-1984 requires that event logs forwarded to a centralised event logging facility are encrypted in transit to protect them against inte... | |
| ISM-2094 | ISM-2094 requires AI applications to filter content to detect and block sensitive data exposure and improper output | |
| Depends on (1) | ||
| ISM-1228 | ISM-1228 requires organisations to analyse cyber security events promptly to identify incidents | |
| Related (1) | ||
| ISM-2051 | ISM-2051 requires that software generates sufficient event logs to support detection of cyber security events | |