ISO 27701, Clause 6.9.4 – Logging and Monitoring

ISO 27701 Controls and Clauses Explained

Book a demo

close up,of,male,hands,using,laptop,at,office,,man's,hands

Logging and monitoring is a crucial part of an organisation’s privacy protection operation, that allows staff to both detect and analyse malicious activity across a network, and gather a body of data which serves to bolster future security initiatives.

What’s Covered in ISO 27701 Clause 6.9.4

ISO 27701 6.9.4 contains three sub-clauses, that present information security guidance from ISO 27002 within the context of privacy protection:

  • ISO 27701 – 6.9.4.1 Event logging (References ISO 27002 control 8.15)
  • ISO 27701 – 6.9.4.2 Protection of log information (References ISO 27002 control 8.15)
  • ISO 27701 – 6.9.4.4 Clock synchronisation (References ISO 27002 control 8.17)

Sub-clauses 6.9.4.1 and 6.9.4.2 both contain extensive additional guidance on managing logging and monitoring alongside PII-related activities. Several clauses also contain information that is applicable within UK GDPR legislation, with the relevant articles provided below.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.9.4.1 – Event Logging

References ISO 27002 Control 8.15

ISO defines an ‘event’ as any action performed by a digital or physical presence/entity on a computer system.

Event logs should contain:

  • A user ID – Who or what account performed the actions.
  • A record of system activity.
  • Timestamps.
  • Device and system identifiers, and the location of the event.
  • IP address information.

Event Types

ISO identifies 11 events/components that require logging (and linked to the same time source – see ISO 27002 control 8.17), in order to maintain PII security and improve organisational privacy protection:

  • System access attempts.
  • Data access attempts.
  • Resource access attempts.
  • OS configuration changes.
  • Elevated privileges.
  • Utility programs and maintenance facilities (see ISO 27002 control 8.18).
  • File access requests, and what occurred (deletion, migration etc).
  • Critical interrupts.
  • Activities surrounding security/antimalware systems.
  • Identity administration work (e.g. user additions and deletions).
  • Selected application session activities.

Log Protection

Logs should be protected against unauthorised changes or operational anomalies, including:

  • Message type amendments.
  • Deletion or editing.
  • Over-writing due to storage issues.

Organisations should engage with the following techniques, in order to improve log-based security:

  • Cryptographic hashing.
  • Append-only recording.
  • Read-only recording.
  • Use of public transparency files.

When the need arises to provide logs to external organisations, strict measures should be taken to safeguard PII and privacy-related information, in accordance with accepted data privacy standards (see ISO 27002 control 5.34 and additional guidance below).

Log Analysis

Logs will need to be analysed from time to time, in order to improve privacy protection on the whole, and to both resolve and prevent security breaches.

When performing log analysis, organisations should take into account:

  • The expertise of the personnel carrying out the analysis.
  • The type, category and attribute of each event type.
  • Any exceptions that are applied via network rules emanating from security software hardware and platforms.
  • Anomalous network traffic.
  • Specialised data analysis.
  • Available threat intelligence (either internally, or from a trusted third party source).

Log Monitoring

Log monitoring offers organisations the chance to protect PII at source and foster a proactive approach to privacy protection.

Organisations should:

  • Review internal and external attempts to access secure resources.
  • Analyse DNS logs (and data usage reports) to identify traffic to and from malicious sources.
  • Collect logs from physical access points and physical perimeter security devices (entry systems etc).

Additional PII-Related Guidance

ISO requires organisations to monitor logs pertaining to PII through a ‘continuous and automated monitoring and alerting process‘. This may necessitate a separate set of procedures that monitor access to PII.

Organisations should ensure that – as a priority – logs provide a clear account of access to PII, including:

  • Who accessed the data.
  • When the data was accessed.
  • Which principal’s PII was accessed.
  • Any changes that were made.

Organisations should decide ‘if, when and how‘ PII log information should be made available to customers, with any criteria being made freely available to the principals themselves and great care taken to ensure that PII principals are only able to access information pertaining to them.

Applicable GDPR Articles

  • Article 5 – (1)(f)

Relevant ISO 27002 Controls

  • ISO 27002 5.34
  • ISO 27002 8.11
  • ISO 27002 8.17
  • ISO 27002 8.18

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.9.4.2 – Protection of Log Information

References ISO 27002 Control 8.15

See ISO 27701 Clause 6.9.4.1

Additional PII-Related Guidance

Organisations should dedicate a lot of attention towards ensuring that logs which contain PII are properly controlled, and benefit from secure monitoring.

Automated procedures should be put in place that either deletes or ‘de-identifies’ logs, in line with a published retention policy (see ISO 27002 control 7.4.7).

Applicable GDPR Articles

  • Article 5 – (1)(f)

ISO 27701 Clause 6.9.4.3 – Administrator and Operator Logs

References ISO 27002 Control 8.15

See ISO 27701 Clause 6.9.4.1

ISO 27701 Clause 6.9.4.4 – Clock Synchronisation

References ISO 27002 Control 8.17

ISO requires organisations to establish a standard reference time that can be used across all privacy protection systems.

Organisations should:

  • Consider their requirements for three aspects of clock synchronisation: time representation, reliable synchronisation, accuracy.
  • Address their needs within the scope of their legal, statutory, regulatory, contractual and monitoring obligations.
  • Utilise an atomic clock service as a singular reference point.
  • Use two separate time sources to improve redundancy and bolster resilience during critical incidents.
  • Consider the implications of using time sources that emanate from different platforms and providers – e.g. on-premise domain services vs. third-party cloud service providers.

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.9.4.1Event Logging8.15 – Logging for ISO 27002Article (5)
6.9.4.2Protection of Log Information8.15 – Logging for ISO 27002Article (5)
6.9.4.3Administrator and Operator Logs8.15 – Logging for ISO 27002None
6.9.4.4Clock Synchronisation8.17 – Clock Synchronisation for ISO 27002None

How ISMS.online Helps

Building your own PIMS system tends to be a better way to end up a system that fits your business processes.

A bespoke system may save you money and is likely to be easier to use, configure and adapt to your data processors and controllers.

Some organisations find the idea of building their own system daunting and a task that leads them to look for off the shelf systems.

Whichever route you choose to follow for your organisation, our cloud-based solutions at ISMS.online will help make sure that you keep the documentation required to meet the standard.

Find out more by booking a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now