UnixTime

Research Note

A.8.15 Audit Evidence Pack

- Logs include event, user/account, date/time, source, and action. - Privileged activity is logged and independently reviewed. - Logs are protected from source-system administra...

On this page

What the auditor wants to verify

Audit objective

Verify that logs are produced, stored, protected, retained, and analysed for relevant activities, exceptions, faults, and events.

Evidence to request

Evidence Purpose
Logging policy/standard Shows logging requirements are defined
Log source register Shows systems and log types in scope
Sample logs Shows useful events are recorded
SIEM/log analysis configuration Shows automated processing and correlation
Retention settings Shows logs are kept long enough
Log protection controls Shows logs resist tampering/deletion
Alert review records Shows logs are analysed
Corrective action records Shows findings lead to action

Strong evidence

  • Logs include event, user/account, date/time, source, and action.
  • Privileged activity is logged and independently reviewed.
  • Logs are protected from source-system administrators.
  • Logging deletion or change requires authorization.
  • Alerts are reviewed and escalated where needed.
  • Fault trends lead to corrective action.

Weak evidence

  • Logs are collected but never reviewed.
  • Administrators can edit or delete their own logs.
  • Retention is too short for investigations.
  • SIEM rules are generic and not linked to risk.
  • Alerts are ignored due to volume.

Sample interview questions

  • Which events must be logged?
  • How long are logs retained?
  • Who reviews privileged activity logs?
  • How are logs protected from tampering?
  • What happens when an alert suggests compromise?
  • How are fault trends handled?

Common nonconformities

  • No loggable event standard.
  • Log reviews not performed.
  • Logs not protected from privileged users.
  • No separation of duties in log review.
  • Alerts not linked to incident management.
  • Fault logs not analysed for corrective action.
  • Audit
  • Evidence
  • A8 15
  • Iso27001

Note Metadata

Aliases: A.8.15 Evidence

Source: 04 Audit Evidence Packs/A.8.15 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.