What the auditor wants to verify
Audit objective
Verify that logs are produced, stored, protected, retained, and analysed for relevant activities, exceptions, faults, and events.
Evidence to request
| Evidence | Purpose |
|---|---|
| Logging policy/standard | Shows logging requirements are defined |
| Log source register | Shows systems and log types in scope |
| Sample logs | Shows useful events are recorded |
| SIEM/log analysis configuration | Shows automated processing and correlation |
| Retention settings | Shows logs are kept long enough |
| Log protection controls | Shows logs resist tampering/deletion |
| Alert review records | Shows logs are analysed |
| Corrective action records | Shows findings lead to action |
Strong evidence
- Logs include event, user/account, date/time, source, and action.
- Privileged activity is logged and independently reviewed.
- Logs are protected from source-system administrators.
- Logging deletion or change requires authorization.
- Alerts are reviewed and escalated where needed.
- Fault trends lead to corrective action.
Weak evidence
- Logs are collected but never reviewed.
- Administrators can edit or delete their own logs.
- Retention is too short for investigations.
- SIEM rules are generic and not linked to risk.
- Alerts are ignored due to volume.
Sample interview questions
- Which events must be logged?
- How long are logs retained?
- Who reviews privileged activity logs?
- How are logs protected from tampering?
- What happens when an alert suggests compromise?
- How are fault trends handled?
Common nonconformities
- No loggable event standard.
- Log reviews not performed.
- Logs not protected from privileged users.
- No separation of duties in log review.
- Alerts not linked to incident management.
- Fault logs not analysed for corrective action.
Related notes
- Audit
- Evidence
- A8 15
- Iso27001
Note Metadata
Aliases: A.8.15 Evidence
Source: 04 Audit Evidence Packs/A.8.15 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.