ISO 27701, Clause 6.9.4 – Logging and Monitoring

ISO 27701 Clause 6.9.4.1 – Event Logging

References ISO 27002 Control 8.15

ISO defines an ‘event’ as any action performed by a digital or physical presence/entity on a computer system.

Event logs should contain:

• A user ID – Who or what account performed the actions.
• A record of system activity.
• Timestamps.
• Device and system identifiers, and the location of the event.
• IP address information.

Event Types

ISO identifies 11 events/components that require logging (and linked to the same time source – see ISO 27002 control 8.17), in order to maintain PII security and improve organisational privacy protection:

• System access attempts.
• Data access attempts.
• Resource access attempts.
• OS configuration changes.
• Elevated privileges.
• Utility programs and maintenance facilities (see ISO 27002 control 8.18).
• File access requests, and what occurred (deletion, migration etc).
• Critical interrupts.
• Activities surrounding security/antimalware systems.
• Identity administration work (e.g. user additions and deletions).
• Selected application session activities.

Log Protection

Logs should be protected against unauthorised changes or operational anomalies, including:

• Message type amendments.
• Deletion or editing.
• Over-writing due to storage issues.

Organisations should engage with the following techniques, in order to improve log-based security:

• Cryptographic hashing.
• Append-only recording.
• Read-only recording.
• Use of public transparency files.

When the need arises to provide logs to external organisations, strict measures should be taken to safeguard PII and privacy-related information, in accordance with accepted data privacy standards (see ISO 27002 control 5.34 and additional guidance below).

Log Analysis

Logs will need to be analysed from time to time, in order to improve privacy protection on the whole, and to both resolve and prevent security breaches.

When performing log analysis, organisations should take into account:

• The expertise of the personnel carrying out the analysis.
• The type, category and attribute of each event type.
• Any exceptions that are applied via network rules emanating from security software hardware and platforms.
• Anomalous network traffic.
• Specialised data analysis.
• Available threat intelligence (either internally, or from a trusted third party source).

Log Monitoring

Log monitoring offers organisations the chance to protect PII at source and foster a proactive approach to privacy protection.

Organisations should:

• Review internal and external attempts to access secure resources.
• Analyse DNS logs (and data usage reports) to identify traffic to and from malicious sources.
• Collect logs from physical access points and physical perimeter security devices (entry systems etc).

Additional PII-Related Guidance

ISO requires organisations to monitor logs pertaining to PII through a ‘continuous and automated monitoring and alerting process‘. This may necessitate a separate set of procedures that monitor access to PII.

Organisations should ensure that – as a priority – logs provide a clear account of access to PII, including:

• Who accessed the data.
• When the data was accessed.
• Which principal’s PII was accessed.
• Any changes that were made.

Organisations should decide ‘if, when and how‘ PII log information should be made available to customers, with any criteria being made freely available to the principals themselves and great care taken to ensure that PII principals are only able to access information pertaining to them.

Applicable GDPR Articles

• Article 5 – (1)(f)

Relevant ISO 27002 Controls

• ISO 27002 5.34
• ISO 27002 8.11
• ISO 27002 8.17
• ISO 27002 8.18

ISO 27701 Clause 6.9.4.2 – Protection of Log Information

References ISO 27002 Control 8.15

See ISO 27701 Clause 6.9.4.1

Additional PII-Related Guidance

Organisations should dedicate a lot of attention towards ensuring that logs which contain PII are properly controlled, and benefit from secure monitoring.

Automated procedures should be put in place that either deletes or ‘de-identifies’ logs, in line with a published retention policy (see ISO 27002 control 7.4.7).

Applicable GDPR Articles

• Article 5 – (1)(f)

ISO 27701 Clause 6.9.4.3 – Administrator and Operator Logs

References ISO 27002 Control 8.15

See ISO 27701 Clause 6.9.4.1

ISO 27701 Clause 6.9.4.4 – Clock Synchronisation

References ISO 27002 Control 8.17

ISO requires organisations to establish a standard reference time that can be used across all privacy protection systems.

Organisations should:

• Consider their requirements for three aspects of clock synchronisation: time representation, reliable synchronisation, accuracy.
• Address their needs within the scope of their legal, statutory, regulatory, contractual and monitoring obligations.
• Utilise an atomic clock service as a singular reference point.
• Use two separate time sources to improve redundancy and bolster resilience during critical incidents.
• Consider the implications of using time sources that emanate from different platforms and providers – e.g. on-premise domain services vs. third-party cloud service providers.

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

Building your own PIMS system tends to be a better way to end up a system that fits your business processes.

A bespoke system may save you money and is likely to be easier to use, configure and adapt to your data processors and controllers.

Some organisations find the idea of building their own system daunting and a task that leads them to look for off the shelf systems.

Whichever route you choose to follow for your organisation, our cloud-based solutions at ISMS.online will help make sure that you keep the documentation required to meet the standard.

Find out more by booking a demo.