ISO 27001:2022 Annex A 8.15 – Logging

• See ISO 27002:2022 Control 8.15 for more information.
• See ISO 27001:2013 Annex A 12.4.1 for more information.
• See ISO 27001:2013 Annex A 12.4.2 for more information.
• See ISO 27001:2013 Annex A 12.4.3 for more information.

Purpose of ISO 27001:2022 Annex A 8.15

Logs are a crucial component of achieving a comprehensive overview of ICT activities and personnel actions. They enable organisations to construct a timeline of occasions and examine both logical and physical trends across their whole network.

Producing accessible, straightforward log data is a critical aspect of an organisation’s general ICT plan, along with numerous major information security controls in ISO 27001:2022.

Logs should be regularly checked:

• Record occurrences.
• Gather data and acquire proof.
• Maintain their integrity.
• Ensure the security of log data from unauthorised access.
• Identify activities and occurrences that might cause a breach of information/security.
• This serves as an aid to both internal and external enquiries.

Ownership of Annex A 8.15

ISO 27001:2022 Annex A 8.15 covers IT operations requiring system administrator access. It encompasses network management and maintenance. Therefore, the Head of IT, or their equivalent, is responsible for this control.

Guidance on Event Log Information

An event is any activity carried out by a physical or logical entity on a computer system, such as a request for data, remote login, automatic shutdown of the system, or deletion of a file.

ISO 27001:2022 Annex A 8.15 states that for each event log to fulfil its purpose, it must contain five main components:

• The user ID associated with the person.
• System activity can be monitored to identify what took place.
• At a certain date and time, an event occurred.
• The event took place on the device/system and its location was identified.
• Network addresses and protocols – IP information.

Guidance on Event Types

It may not be possible to log every occurrence on a network for practical reasons. Logging each event may not feasible.

ISO 27001:2022 Annex A 8.15 specifies ten events that should be logged, as they can affect risk and sustain an appropriate level of information security:

1. System access attempts will be tracked and monitored.
2. Attempts to access data and/or resources will be monitored. Any such activity that is seen as suspicious will be reported.
3. System/OS configuration alterations.
4. The use of high-level privileges.
5. Utilise utility programs or maintenance facilities (as per ISO 27001:2022 Annex A 8.18).
6. File access requests, with deletions, migrations, etc.
7. Access control alarms and important interrupts.
8. Activation and/or deactivation of front and back end security systems, e.g. client-side antivirus software and firewall protection systems.
9. Identity administration.
10. Certain actions or modifications to the system/data done during a session within an application.

As ISO 27001:2022 Annex A 8.17 outlines, it is essential to ensure all logs are synced to the same time source (or sources) and, in the event of third-party application logs, any time discrepancies must be addressed and documented.

Guidance on Log Protection

Logs are the most fundamental way to determine user, system, and application activity on a network, especially when investigations are taking place.

It is essential for organisations to guarantee that users, regardless of their permission levels, cannot delete or alter their own event logs.

Logs should be complete, accurate and safeguarded against any unauthorised modifications or disruptions, including:

• Deleted or edited log files.
• Message type amendments.
• Failure to produce a log or overwriting of logs due to storage or network problems should be avoided.

ISO advises that to enhance information security, logs ought to be safeguarded with the following techniques:

• Read-only recording.
• Use of public transparency files.
• Cryptographic hashing.
• Append-only recording.

Organisations may require sending logs to vendors to address incidents and faults. When this is necessary, logs should be “de-identified” (as per ISO 27001:2022 Annex A 8.11) with the following info masked:

• IP addresses.
• Hostnames.
• Usernames.

To ensure PII is protected, steps should be taken in accordance with the organisation’s data privacy regulations and existing laws (refer to ISO 27001:2022 Annex A 5.34).

Guidance on Log Analysis

When assessing logs to pinpoint, tackle and explain cyber security incidents – with the aim of preventing recurrences – consider the following:

• The personnel conducting the analysis possess a high level of expertise.
• Logs are analysed in accordance with company protocol.
• The events to be analysed must be categorised and identified by type and attribute.
• Exceptions that result from network rules generated by security software, hardware, and platforms are to be applied.
• The typical progression of network traffic as opposed to unpredictable patterns.
• Specialised data analysis reveals trends that are noteworthy.
• Threat intelligence.

Guidance on Log Monitoring

Log analysis should be conducted jointly with thorough monitoring activities that detect essential patterns and uncommon behaviour.

Organisations should take a two-pronged approach to reach their goals:

• Review any attempts to access secure and business-critical resources, such as domain servers, web portals, and file-sharing platforms.
• Examine DNS records to identify any outgoing traffic associated with malicious sources and detrimental server procedures.
• Gather data usage records from service vendors or internal systems to recognise any malicious behaviour.
• Gather records from physical entry points, like key card/fob logs and room access data.

Supplementary Information

Organisations should ponder utilising specialised utility programs to sift through the immense amount of information produced by system logs, thus saving time and resources when probing security incidents, e.g. a SIEM tool.

If an organisation employs a cloud-based platform for any part of their operations, log management should be a shared responsibility between the service provider and the organisation.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.34
• ISO 27001:2022 Annex A 8.11
• ISO 27001:2022 Annex A 8.17
• ISO 27001:2022 Annex A 8.18

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.15 supersedes three controls from ISO 27001:2013 which cover the storing, managing and analysing of log files:

• 12.4.1 – Event Logging
• 12.4.2 – Protection of Log Information
• 12.4.3 – Administrator and Operator Logs

ISO 27001:2022 Annex A 8.15 largely aligns the guidance from the three controls previously discussed, forming a clear protocol that covers logging, along with some notable additions such as:

• Guidelines that address the protection of log information in an expanded manner.
• Advice on the different kinds of occurrences that should be examined closely.
• Guidance on monitoring and analysing logs to improve information security.
• How to manage logs generated by cloud-based platforms.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

The ISMS.online platform facilitates the entirety of ISO 27001 implementation, beginning with risk assessment activities, and concluding with the establishment of policies, procedures, and guidelines to meet the standard’s criteria.

ISMS.online provides organisations with a straightforward path to ISO 27001 compliance via its automated tool-set. Its user-friendly features make it simple to demonstrate adherence to the standard.

Get in touch with us now to arrange a demonstration.