- See ISO 27002:2022 Control 8.15 for more information.
- See ISO 27001:2013 Annex A 12.4.1 for more information.
- See ISO 27001:2013 Annex A 12.4.2 for more information.
- See ISO 27001:2013 Annex A 12.4.3 for more information.
Purpose of ISO 27001:2022 Annex A 8.15
Logs are a crucial component of achieving a comprehensive overview of ICT activities and personnel actions. They enable organisations to construct a timeline of occasions and examine both logical and physical trends across their whole network.
Producing accessible, straightforward log data is a critical aspect of an organisation’s general ICT plan, along with numerous major information security controls in ISO 27001:2022.
Logs should be regularly checked:
- Record occurrences.
- Gather data and acquire proof.
- Maintain their integrity.
- Ensure the security of log data from unauthorised access.
- Identify activities and occurrences that might cause a breach of information/security.
- This serves as an aid to both internal and external enquiries.
Ownership of Annex A 8.15
ISO 27001:2022 Annex A 8.15 covers IT operations requiring system administrator access. It encompasses network management and maintenance. Therefore, the Head of IT, or their equivalent, is responsible for this control.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Guidance on Event Log Information
An event is any activity carried out by a physical or logical entity on a computer system, such as a request for data, remote login, automatic shutdown of the system, or deletion of a file.
ISO 27001:2022 Annex A 8.15 states that for each event log to fulfil its purpose, it must contain five main components:
- The user ID associated with the person.
- System activity can be monitored to identify what took place.
- At a certain date and time, an event occurred.
- The event took place on the device/system and its location was identified.
- Network addresses and protocols – IP information.
Guidance on Event Types
It may not be possible to log every occurrence on a network for practical reasons. Logging each event may not feasible.
ISO 27001:2022 Annex A 8.15 specifies ten events that should be logged, as they can affect risk and sustain an appropriate level of information security:
- System access attempts will be tracked and monitored.
- Attempts to access data and/or resources will be monitored. Any such activity that is seen as suspicious will be reported.
- System/OS configuration alterations.
- The use of high-level privileges.
- Utilise utility programs or maintenance facilities (as per ISO 27001:2022 Annex A 8.18).
- File access requests, with deletions, migrations, etc.
- Access control alarms and important interrupts.
- Activation and/or deactivation of front and back end security systems, e.g. client-side antivirus software and firewall protection systems.
- Identity administration.
- Certain actions or modifications to the system/data done during a session within an application.
As ISO 27001:2022 Annex A 8.17 outlines, it is essential to ensure all logs are synced to the same time source (or sources) and, in the event of third-party application logs, any time discrepancies must be addressed and documented.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Guidance on Log Protection
Logs are the most fundamental way to determine user, system, and application activity on a network, especially when investigations are taking place.
It is essential for organisations to guarantee that users, regardless of their permission levels, cannot delete or alter their own event logs.
Logs should be complete, accurate and safeguarded against any unauthorised modifications or disruptions, including:
- Deleted or edited log files.
- Message type amendments.
- Failure to produce a log or overwriting of logs due to storage or network problems should be avoided.
ISO advises that to enhance information security, logs ought to be safeguarded with the following techniques:
- Read-only recording.
- Use of public transparency files.
- Cryptographic hashing.
- Append-only recording.
Organisations may require sending logs to vendors to address incidents and faults. When this is necessary, logs should be “de-identified” (as per ISO 27001:2022 Annex A 8.11) with the following info masked:
- IP addresses.
- Hostnames.
- Usernames.
To ensure PII is protected, steps should be taken in accordance with the organisation’s data privacy regulations and existing laws (refer to ISO 27001:2022 Annex A 5.34).
Guidance on Log Analysis
When assessing logs to pinpoint, tackle and explain cyber security incidents – with the aim of preventing recurrences – consider the following:
- The personnel conducting the analysis possess a high level of expertise.
- Logs are analysed in accordance with company protocol.
- The events to be analysed must be categorised and identified by type and attribute.
- Exceptions that result from network rules generated by security software, hardware, and platforms are to be applied.
- The typical progression of network traffic as opposed to unpredictable patterns.
- Specialised data analysis reveals trends that are noteworthy.
- Threat intelligence.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Guidance on Log Monitoring
Log analysis should be conducted jointly with thorough monitoring activities that detect essential patterns and uncommon behaviour.
Organisations should take a two-pronged approach to reach their goals:
- Review any attempts to access secure and business-critical resources, such as domain servers, web portals, and file-sharing platforms.
- Examine DNS records to identify any outgoing traffic associated with malicious sources and detrimental server procedures.
- Gather data usage records from service vendors or internal systems to recognise any malicious behaviour.
- Gather records from physical entry points, like key card/fob logs and room access data.
Supplementary Information
Organisations should ponder utilising specialised utility programs to sift through the immense amount of information produced by system logs, thus saving time and resources when probing security incidents, e.g. a SIEM tool.
If an organisation employs a cloud-based platform for any part of their operations, log management should be a shared responsibility between the service provider and the organisation.
Accompanying Annex A Controls
- ISO 27001:2022 Annex A 5.34
- ISO 27001:2022 Annex A 8.11
- ISO 27001:2022 Annex A 8.17
- ISO 27001:2022 Annex A 8.18
Changes and Differences from ISO 27001:2013
ISO 27001:2022 Annex A 8.15 supersedes three controls from ISO 27001:2013 which cover the storing, managing and analysing of log files:
- 12.4.1 – Event Logging
- 12.4.2 – Protection of Log Information
- 12.4.3 – Administrator and Operator Logs
ISO 27001:2022 Annex A 8.15 largely aligns the guidance from the three controls previously discussed, forming a clear protocol that covers logging, along with some notable additions such as:
- Guidelines that address the protection of log information in an expanded manner.
- Advice on the different kinds of occurrences that should be examined closely.
- Guidance on monitoring and analysing logs to improve information security.
- How to manage logs generated by cloud-based platforms.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
How ISMS.online Help
The ISMS.online platform facilitates the entirety of ISO 27001 implementation, beginning with risk assessment activities, and concluding with the establishment of policies, procedures, and guidelines to meet the standard’s criteria.
ISMS.online provides organisations with a straightforward path to ISO 27001 compliance via its automated tool-set. Its user-friendly features make it simple to demonstrate adherence to the standard.
Get in touch with us now to arrange a demonstration.
