ISO 27701 Clause 6.9.4: Strengthening Privacy Through Logging and Monitoring
Logging and monitoring is a crucial part of an organisation’s privacy protection operation, that allows staff to both detect and analyse malicious activity across a network, and gather a body of data which serves to bolster future security initiatives.
What’s Covered in ISO 27701 Clause 6.9.4
ISO 27701 6.9.4 contains three sub-clauses, that present information security guidance from ISO 27002 within the context of privacy protection:
- ISO 27701 – 6.9.4.1 Event logging (References ISO 27002 control 8.15)
- ISO 27701 – 6.9.4.2 Protection of log information (References ISO 27002 control 8.15)
- ISO 27701 – 6.9.4.4 Clock synchronisation (References ISO 27002 control 8.17)
Sub-clauses 6.9.4.1 and 6.9.4.2 both contain extensive additional guidance on managing logging and monitoring alongside PII-related activities. Several clauses also contain information that is applicable within UK GDPR legislation, with the relevant articles provided below.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Compliance doesn't have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
ISO 27701 Clause 6.9.4.1 – Event Logging
References ISO 27002 Control 8.15
ISO defines an ‘event’ as any action performed by a digital or physical presence/entity on a computer system.
Event logs should contain:
- A user ID – Who or what account performed the actions.
- A record of system activity.
- Timestamps.
- Device and system identifiers, and the location of the event.
- IP address information.
Event Types
ISO identifies 11 events/components that require logging (and linked to the same time source – see ISO 27002 control 8.17), in order to maintain PII security and improve organisational privacy protection:
- System access attempts.
- Data access attempts.
- Resource access attempts.
- OS configuration changes.
- Elevated privileges.
- Utility programs and maintenance facilities (see ISO 27002 control 8.18).
- File access requests, and what occurred (deletion, migration etc).
- Critical interrupts.
- Activities surrounding security/antimalware systems.
- Identity administration work (e.g. user additions and deletions).
- Selected application session activities.
Log Protection
Logs should be protected against unauthorised changes or operational anomalies, including:
- Message type amendments.
- Deletion or editing.
- Over-writing due to storage issues.
Organisations should engage with the following techniques, in order to improve log-based security:
- Cryptographic hashing.
- Append-only recording.
- Read-only recording.
- Use of public transparency files.
When the need arises to provide logs to external organisations, strict measures should be taken to safeguard PII and privacy-related information, in accordance with accepted data privacy standards (see ISO 27002 control 5.34 and additional guidance below).
Log Analysis
Logs will need to be analysed from time to time, in order to improve privacy protection on the whole, and to both resolve and prevent security breaches.
When performing log analysis, organisations should take into account:
- The expertise of the personnel carrying out the analysis.
- The type, category and attribute of each event type.
- Any exceptions that are applied via network rules emanating from security software hardware and platforms.
- Anomalous network traffic.
- Specialised data analysis.
- Available threat intelligence (either internally, or from a trusted third party source).
Log Monitoring
Log monitoring offers organisations the chance to protect PII at source and foster a proactive approach to privacy protection.
Organisations should:
- Review internal and external attempts to access secure resources.
- Analyse DNS logs (and data usage reports) to identify traffic to and from malicious sources.
- Collect logs from physical access points and physical perimeter security devices (entry systems etc).
Additional PII-Related Guidance
ISO requires organisations to monitor logs pertaining to PII through a ‘continuous and automated monitoring and alerting process‘. This may necessitate a separate set of procedures that monitor access to PII.
Organisations should ensure that – as a priority – logs provide a clear account of access to PII, including:
- Who accessed the data.
- When the data was accessed.
- Which principal’s PII was accessed.
- Any changes that were made.
Organisations should decide ‘if, when and how‘ PII log information should be made available to customers, with any criteria being made freely available to the principals themselves and great care taken to ensure that PII principals are only able to access information pertaining to them.
Applicable GDPR Articles
- Article 5 – (1)(f)
Relevant ISO 27002 Controls
- ISO 27002 5.34
- ISO 27002 8.11
- ISO 27002 8.17
- ISO 27002 8.18
Manage all your compliance in one place
ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.
ISO 27701 Clause 6.9.4.2 – Protection of Log Information
References ISO 27002 Control 8.15
See ISO 27701 Clause 6.9.4.1
Additional PII-Related Guidance
Organisations should dedicate a lot of attention towards ensuring that logs which contain PII are properly controlled, and benefit from secure monitoring.
Automated procedures should be put in place that either deletes or ‘de-identifies’ logs, in line with a published retention policy (see ISO 27002 control 7.4.7).
Applicable GDPR Articles
- Article 5 – (1)(f)
ISO 27701 Clause 6.9.4.3 – Administrator and Operator Logs
References ISO 27002 Control 8.15
See ISO 27701 Clause 6.9.4.1
ISO 27701 Clause 6.9.4.4 – Clock Synchronisation
References ISO 27002 Control 8.17
ISO requires organisations to establish a standard reference time that can be used across all privacy protection systems.
Organisations should:
- Consider their requirements for three aspects of clock synchronisation: time representation, reliable synchronisation, accuracy.
- Address their needs within the scope of their legal, statutory, regulatory, contractual and monitoring obligations.
- Utilise an atomic clock service as a singular reference point.
- Use two separate time sources to improve redundancy and bolster resilience during critical incidents.
- Consider the implications of using time sources that emanate from different platforms and providers – e.g. on-premise domain services vs. third-party cloud service providers.
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.9.4.1 | Event Logging |
8.15 – Logging for ISO 27002 |
Article (5) |
| 6.9.4.2 | Protection of Log Information |
8.15 – Logging for ISO 27002 |
Article (5) |
| 6.9.4.3 | Administrator and Operator Logs |
8.15 – Logging for ISO 27002 |
None |
| 6.9.4.4 | Clock Synchronisation |
8.17 – Clock Synchronisation for ISO 27002 |
None |
How ISMS.online Helps
Building your own PIMS system tends to be a better way to end up a system that fits your business processes.
A bespoke system may save you money and is likely to be easier to use, configure and adapt to your data processors and controllers.
Some organisations find the idea of building their own system daunting and a task that leads them to look for off the shelf systems.
Whichever route you choose to follow for your organisation, our cloud-based solutions at ISMS.online will help make sure that you keep the documentation required to meet the standard.
Find out more by booking a demo.
Jump to topic
