ISO 27001 Annex A 8.15

Logs are the only record of what actually happened - protect them and use them.

ISO 27001 Annex A 8.15 - Logging

Logging is the foundation for detection, investigation and accountability. Without logs, the organisation cannot tell what happened when something goes wrong, cannot prove that controls operated, and cannot detect attacks until they cause visible damage. The control asks for logs to be produced, stored securely, protected from tampering, and actually analysed.

What to log varies by system and sensitivity. Authentication events, privileged access actions, administrative changes, security control operations, and unusual error patterns are typical baseline content. The volume can be large - log management practice usually involves filtering, aggregation and retention rules to keep the most useful content while managing the storage.

Log protection matters because attackers attempt to clear logs to hide their tracks. Centralising logs to a separate system, restricting write access, using append-only or immutable storage, and applying integrity checks all help. The audit trail is only as trustworthy as the protection of the underlying logs.

The logging that helps in incident investigation is the logging that already exists when the incident happens. Turning on logging after an incident is too late for the events that matter. The argument for comprehensive baseline logging is that you cannot predict which events will turn out to be significant, so the cheap insurance is to log enough to be useful afterwards.

Log retention should match the time it typically takes to discover incidents. The dwell time between compromise and detection in many attacks is measured in months. Logs that only go back 30 days do not cover that timeline. Six to twelve months is a typical retention range, with longer for security-relevant events.

Practical Compliance Guidance

Logging arrangements are described in the IMS1 manual at section 8.3 on IT equipment alongside the wider information security arrangements. SIEM configuration and log retention records provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the logging requirements for different system categories. Use as the source for the logging baseline.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What events should typically be logged?

Authentication (success and failure), privileged actions, configuration changes, security control operations (firewall blocks, anti-malware detections), data access for sensitive information, and system errors that may indicate compromise. The detail depends on the system - a general baseline applied to all systems with extensions for higher-sensitivity ones.

How long should logs be kept?

Long enough to support incident investigation. Six to twelve months is a typical baseline, with longer retention for security-relevant events and shorter retention for operational debugging logs. Personal data within logs follows the same retention rules as other personal data under data protection law.

Do we need a SIEM?

For organisations with significant volumes of log data, a Security Information and Event Management (SIEM) tool helps with aggregation, correlation and alerting. Smaller organisations may aggregate logs to a single store and use simpler analysis. The choice should match the scale of the operation.

Further Resources