1. Framework FAQs

ISO 27001: 2022 A.8.15 Logging

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.15 Logging.

ISO 27001: 2022 Control Description

Logs that record activities, exceptions, faults and other relevant events  shall be produced, stored, protected and analysed.

Purpose

To ensure that activities, exceptions, faults, and other important events are recorded, stored, protected, and analysed. This supports evidence generation, ensures log integrity, prevents unauthorised access, identifies security events, and aids investigations.

Guidance on implementation

Setting Up Logs

  1. Determine Logging Needs:
    • Identify the purpose of logs, what data should be logged, and how logs should be protected and handled. Document this in a logging policy.
  2. Include Key Event Information:
    • Ensure logs capture relevant details for each event, including:
      • User IDs
      • System activities
      • Dates, times, and event details (e.g., log-on and log-off times)
      • Device identity, system identifiers, and locations
      • Network addresses and protocols
  3. Log Important Events:
    • Consider logging the following events:
      • Successful and failed access attempts
      • Changes to system configurations
      • Use of privileges and utility programs
      • Access and deletion of files
      • Security system activations and deactivations
      • Creation, modification, or deletion of identities
      • User transactions in applications (including third-party services)
  4. Synchronise Time Across Systems:
    • Use synchronised time sources to ensure accurate log correlation for analysis and incident investigations.

Protecting Logs

  1. Restrict Log Deletion and Modification:
    • Users, including those with privileged access, should not be able to delete or deactivate logs of their own activities.
  2. Implement Log Protection Measures:
    • Protect logs from unauthorised changes and operational issues. Consider using techniques like cryptographic hashing, append-only, and read-only files, or public transparency files.
  3. Archive Logs When Needed:
    • Some logs may need to be archived for data retention or evidence requirements.
  4. De-identify Logs for External Use:
    • When sending logs to vendors for troubleshooting, de-identify sensitive information using data masking techniques before sharing.
  5. Protect Sensitive Data:
    • Since logs may contain sensitive information, including personally identifiable information (PII), apply appropriate privacy protection measures.

Log Analysis

  1. Regularly Analyse Logs:
    • Analyse logs to identify unusual activities or potential security threats. This includes:
      • Reviewing access attempts
      • Checking DNS logs for suspicious network connections
      • Examining service usage reports for anomalies
      • Including physical monitoring event logs for comprehensive analysis
  2. Use Tools for Efficient Analysis:
    • Utilise security information and event management (SIEM) tools or equivalent services to store, correlate, normalise, and analyse log information. These tools can also generate alerts for significant security events.
  3. Support Analysis with Monitoring:
    • Complement log analysis with specific monitoring activities to detect and investigate anomalous behaviour effectively.
  4. Investigate Security Incidents:
    • Investigate any suspected or actual security incidents identified through log analysis, such as malware infections or firewall probing.

Additional Information

  • Managing Large Volumes of Log Data:
    • Use utility programs or audit tools to filter and highlight significant events from large volumes of log data.
  • Implementing SIEM Systems:
    • SIEM systems need careful configuration, including selecting appropriate log sources, tuning rules, and developing use cases, to maximise their effectiveness.
  • Cloud Environments:
    • In cloud environments, log management responsibilities may be shared between the organisation and the cloud service provider, depending on the type of cloud service used.