UnixTime

Research Note

ISO 27001 A.8.15 - Logging

The organization should collect useful logs, protect them from tampering, keep them long enough, and review or analyse them so security-relevant events can be detected and inves...

On this page

Requirement

Requirement lens

This control asks whether logs are produced, stored, protected, and analysed for activities, exceptions, faults, and relevant events.

“Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.”

Plain-language meaning

The organization should collect useful logs, protect them from tampering, keep them long enough, and review or analyse them so security-relevant events can be detected and investigated.

Logging is not useful if nobody reviews it, if privileged administrators can edit it, if storage overwrites it silently, or if logs lack enough detail to identify what happened, when, where, and who was involved.

Why this matters

Logs support incident detection, investigation, accountability, fault analysis, corrective action, and evidence. They help reconstruct events before and during an incident.

Modern systems generate too much data for manual review alone. Automated tooling such as SIEM, alerting, correlation rules, and dashboards may be needed to identify meaningful events from noisy logs.

Implementation guidance

Implementer focus

Decide what must be logged from risk, then protect logs from the same people and systems they may need to evidence.

1. Define loggable events

Logging should cover risk-relevant activities such as:

  • privileged user activity;
  • failed logins and access attempts;
  • configuration changes;
  • use of system utilities;
  • security tool alerts;
  • faults and exceptions;
  • data access or transfer events where needed;
  • changes to logging configuration;
  • administrative actions in cloud or managed services.

2. Define minimum log content

Useful logs should normally identify:

Log field Why it matters
Event What happened
User/account/process Who or what caused it
Date/time When it happened
Source/terminal/IP/device Where it came from
Action/result What changed or failed
System/service What was affected

3. Protect logs

Logs should be protected against unauthorized editing, deletion, redirection, logging shutdown, event-level modification, and silent overwrite. A strong pattern is to send logs quickly to a location outside the control of administrators of the source system.

4. Analyse logs

Log analysis should be risk-based. High-risk systems and privileged activity may require frequent review, automated correlation, and alerting. Lower-risk logs may be reviewed less frequently.

Alert review should determine whether security has been compromised. If yes, the event should feed incident management. Fault trends should feed corrective action and root cause analysis.

Audit guidance

Auditor focus

Test whether logs are generated, useful, protected, retained, reviewed, and linked to incident or corrective action processes.

Auditors should verify:

  • logging policy or standard;
  • loggable event definitions;
  • log content and timestamp quality;
  • retention requirements;
  • protection against tampering and deletion;
  • privileged user log coverage;
  • SIEM or log analysis tooling coverage;
  • alert rules linked to risk assessment;
  • log review frequency and ownership;
  • separation of duties in log review;
  • sample alerts and corrective actions;
  • supplier/cloud logging levels where managed services are used.

Auditors should sample logs and check whether they include sufficient detail to support investigation.

Evidence examples

Evidence quality

Strong evidence proves logs are produced, protected, analysed, retained, and used for incident/corrective action.

Evidence What it proves
Logging policy/standard Logging requirements are defined
Log source register Systems in scope are known
Sample logs Required events are recorded
SIEM/log tool configuration Automated analysis is implemented
Log retention settings Logs are kept long enough
Log protection controls Logs resist tampering/deletion
Alert review records Logs are analysed
Corrective action records Findings lead to action

Strong evidence

  • Logs include user, event, date/time, source, and action detail.
  • Privileged activity is logged and independently reviewed.
  • Logs are sent to protected central storage.
  • Logging changes/deletions require authorization and records.
  • Alerts are reviewed and escalated to incident management where needed.
  • Fault trends produce corrective action.

Weak evidence

  • Logs exist but are never reviewed.
  • Logs are stored only on the system being monitored.
  • Administrators can delete or edit their own activity logs.
  • Retention is too short for investigation needs.
  • SIEM rules are generic and not linked to risk.
  • Alerts are ignored due to volume.

Common failures

Implementation watchouts

A.8.15 fails when logging is treated as storage instead of detection, investigation, and evidence.

Failure Why it matters
No loggable event standard Important events are missed
No review ownership Logs are collected but unused
Privileged users control logs Evidence can be altered
No SIEM tuning Important events hide in noise
Retention not defined Logs may be gone when needed
No link to incident process Alerts do not trigger response
Fault logs ignored Integrity and availability issues repeat

Exam traps

Exam focus

A.8.15 requires logs to be produced, stored, protected, and analysed. Collection alone is not enough.

Trap Correct interpretation
Logging means storing event files Logs must also be protected and analysed
More logs always means better security Risk-based useful logging and analysis matter
Administrators can review their own logs Separation of duties should be used where possible
SIEM presence proves compliance Coverage, rules, alert review, and escalation matter
Fault logs are just operational Faults can affect integrity and availability and need corrective action

KB-ready summary

Mentor takeaway

A.8.15 makes logs useful as detection and evidence. Strong implementation proves the right events are logged, logs are protected from tampering, retained long enough, analysed, and connected to incident/corrective action.

  • Define loggable events from risk.
  • Capture enough detail to investigate.
  • Protect logs against modification and deletion.
  • Review and analyse logs with assigned responsibility.
  • Escalate security alerts and trend faults into corrective action.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Logging
  • Monitoring
  • Audit

Note Metadata

Aliases: A.8.15, Logging, Audit Logging

Source: 05 Annex A Technological Controls/A.8.15 Logging.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.