Requirement
Requirement lens
This control asks whether logs are produced, stored, protected, and analysed for activities, exceptions, faults, and relevant events.
“Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.”
Plain-language meaning
The organization should collect useful logs, protect them from tampering, keep them long enough, and review or analyse them so security-relevant events can be detected and investigated.
Logging is not useful if nobody reviews it, if privileged administrators can edit it, if storage overwrites it silently, or if logs lack enough detail to identify what happened, when, where, and who was involved.
Why this matters
Logs support incident detection, investigation, accountability, fault analysis, corrective action, and evidence. They help reconstruct events before and during an incident.
Modern systems generate too much data for manual review alone. Automated tooling such as SIEM, alerting, correlation rules, and dashboards may be needed to identify meaningful events from noisy logs.
Implementation guidance
Implementer focus
Decide what must be logged from risk, then protect logs from the same people and systems they may need to evidence.
1. Define loggable events
Logging should cover risk-relevant activities such as:
- privileged user activity;
- failed logins and access attempts;
- configuration changes;
- use of system utilities;
- security tool alerts;
- faults and exceptions;
- data access or transfer events where needed;
- changes to logging configuration;
- administrative actions in cloud or managed services.
2. Define minimum log content
Useful logs should normally identify:
| Log field | Why it matters |
|---|---|
| Event | What happened |
| User/account/process | Who or what caused it |
| Date/time | When it happened |
| Source/terminal/IP/device | Where it came from |
| Action/result | What changed or failed |
| System/service | What was affected |
3. Protect logs
Logs should be protected against unauthorized editing, deletion, redirection, logging shutdown, event-level modification, and silent overwrite. A strong pattern is to send logs quickly to a location outside the control of administrators of the source system.
4. Analyse logs
Log analysis should be risk-based. High-risk systems and privileged activity may require frequent review, automated correlation, and alerting. Lower-risk logs may be reviewed less frequently.
5. Link alerts to incident and corrective action
Alert review should determine whether security has been compromised. If yes, the event should feed incident management. Fault trends should feed corrective action and root cause analysis.
Audit guidance
Auditor focus
Test whether logs are generated, useful, protected, retained, reviewed, and linked to incident or corrective action processes.
Auditors should verify:
- logging policy or standard;
- loggable event definitions;
- log content and timestamp quality;
- retention requirements;
- protection against tampering and deletion;
- privileged user log coverage;
- SIEM or log analysis tooling coverage;
- alert rules linked to risk assessment;
- log review frequency and ownership;
- separation of duties in log review;
- sample alerts and corrective actions;
- supplier/cloud logging levels where managed services are used.
Auditors should sample logs and check whether they include sufficient detail to support investigation.
Evidence examples
Evidence quality
Strong evidence proves logs are produced, protected, analysed, retained, and used for incident/corrective action.
| Evidence | What it proves |
|---|---|
| Logging policy/standard | Logging requirements are defined |
| Log source register | Systems in scope are known |
| Sample logs | Required events are recorded |
| SIEM/log tool configuration | Automated analysis is implemented |
| Log retention settings | Logs are kept long enough |
| Log protection controls | Logs resist tampering/deletion |
| Alert review records | Logs are analysed |
| Corrective action records | Findings lead to action |
Strong evidence
- Logs include user, event, date/time, source, and action detail.
- Privileged activity is logged and independently reviewed.
- Logs are sent to protected central storage.
- Logging changes/deletions require authorization and records.
- Alerts are reviewed and escalated to incident management where needed.
- Fault trends produce corrective action.
Weak evidence
- Logs exist but are never reviewed.
- Logs are stored only on the system being monitored.
- Administrators can delete or edit their own activity logs.
- Retention is too short for investigation needs.
- SIEM rules are generic and not linked to risk.
- Alerts are ignored due to volume.
Common failures
Implementation watchouts
A.8.15 fails when logging is treated as storage instead of detection, investigation, and evidence.
| Failure | Why it matters |
|---|---|
| No loggable event standard | Important events are missed |
| No review ownership | Logs are collected but unused |
| Privileged users control logs | Evidence can be altered |
| No SIEM tuning | Important events hide in noise |
| Retention not defined | Logs may be gone when needed |
| No link to incident process | Alerts do not trigger response |
| Fault logs ignored | Integrity and availability issues repeat |
Exam traps
Exam focus
A.8.15 requires logs to be produced, stored, protected, and analysed. Collection alone is not enough.
| Trap | Correct interpretation |
|---|---|
| Logging means storing event files | Logs must also be protected and analysed |
| More logs always means better security | Risk-based useful logging and analysis matter |
| Administrators can review their own logs | Separation of duties should be used where possible |
| SIEM presence proves compliance | Coverage, rules, alert review, and escalation matter |
| Fault logs are just operational | Faults can affect integrity and availability and need corrective action |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.2 Privileged Access Rights
- A.8.3 Information Access Restriction
- A.8.9 Configuration Management
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.27 Learning from Information Security Incidents
- A.5.28 Collection of Evidence
- A.5.36 Compliance with Policies, Rules and Standards for Information Security
- Risk Assessment
- Statement of Applicability
- Logging and Monitoring Standard
- Log Source and Retention Register
- Log Review and Alert Triage Record
- Log Integrity and Access Review Checklist
- A.8.15 Audit Evidence Pack
- A.8.15 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.15 makes logs useful as detection and evidence. Strong implementation proves the right events are logged, logs are protected from tampering, retained long enough, analysed, and connected to incident/corrective action.
- Define loggable events from risk.
- Capture enough detail to investigate.
- Protect logs against modification and deletion.
- Review and analyse logs with assigned responsibility.
- Escalate security alerts and trend faults into corrective action.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Logging
- Monitoring
- Audit
Note Metadata
Aliases: A.8.15, Logging, Audit Logging
Source: 05 Annex A Technological Controls/A.8.15 Logging.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Control
ISO 27001 A.8.15 - LoggingRequirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- A.8.15 Audit Evidence Pack
- A.8.16 Audit Evidence Pack
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.15 Logging
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-033 - Redundancy and Logging
- EXAM-034 - Monitoring Activities
- ISO 27002 Annex A Control Interpretation Map
- A.8.15 Audit Checklist
- Development Test Production Separation Checklist
- Log Integrity and Access Review Checklist
- Log Review and Alert Triage Record
- Log Source and Retention Register
- Logging and Monitoring Standard
- Monitoring Alert Threshold Review
- Monitoring Coverage and Data Source Map
- Monitoring Detection Use Case Register
- Network Device Configuration and Change Review
- Annex A Controls MOC