ISO 27001:2022 Annex A Control 8.15

Logging

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

Purpose of ISO 27001:2022 Annex A 8.15

Logs are a crucial component of achieving a comprehensive overview of ICT activities and personnel actions. They enable organisations to construct a timeline of occasions and examine both logical and physical trends across their whole network.

Producing accessible, straightforward log data is a critical aspect of an organisation’s general ICT plan, along with numerous major information security controls in ISO 27001:2022.

Logs should be regularly checked:

  • Record occurrences.

  • Gather data and acquire proof.

  • Maintain their integrity.

  • Ensure the security of log data from unauthorised access.

  • Identify activities and occurrences that might cause a breach of information/security.

  • This serves as an aid to both internal and external enquiries.

Ownership of Annex A 8.15

ISO 27001:2022 Annex A 8.15 covers IT operations requiring system administrator access. It encompasses network management and maintenance. Therefore, the Head of IT, or their equivalent, is responsible for this control.

Jump to Topic
Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Guidance on Event Log Information

An event is any activity carried out by a physical or logical entity on a computer system, such as a request for data, remote login, automatic shutdown of the system, or deletion of a file.

ISO 27001:2022 Annex A 8.15 states that for each event log to fulfil its purpose, it must contain five main components:

  • The user ID associated with the person.

  • System activity can be monitored to identify what took place.

  • At a certain date and time, an event occurred.

  • The event took place on the device/system and its location was identified.

  • Network addresses and protocols – IP information.

Guidance on Event Types

It may not be possible to log every occurrence on a network for practical reasons. Logging each event may not feasible.

ISO 27001:2022 Annex A 8.15 specifies ten events that should be logged, as they can affect risk and sustain an appropriate level of information security:

  1. System access attempts will be tracked and monitored.

  2. Attempts to access data and/or resources will be monitored. Any such activity that is seen as suspicious will be reported.

  3. System/OS configuration alterations.

  4. The use of high-level privileges.

  5. Utilise utility programs or maintenance facilities (as per ISO 27001:2022 Annex A 8.18).

  6. File access requests, with deletions, migrations, etc.

  7. Access control alarms and important interrupts.

  8. Activation and/or deactivation of front and back end security systems, e.g. client-side antivirus software and firewall protection systems.

  9. Identity administration.

  10. Certain actions or modifications to the system/data done during a session within an application.

As ISO 27001:2022 Annex A 8.17 outlines, it is essential to ensure all logs are synced to the same time source (or sources) and, in the event of third-party application logs, any time discrepancies must be addressed and documented.

Guidance on Log Protection

Logs are the most fundamental way to determine user, system, and application activity on a network, especially when investigations are taking place.

It is essential for organisations to guarantee that users, regardless of their permission levels, cannot delete or alter their own event logs.

Logs should be complete, accurate and safeguarded against any unauthorised modifications or disruptions, including:

  • Deleted or edited log files.

  • Message type amendments.

  • Failure to produce a log or overwriting of logs due to storage or network problems should be avoided.

ISO advises that to enhance information security, logs ought to be safeguarded with the following techniques:

  • Read-only recording.

  • Use of public transparency files.

  • Cryptographic hashing.

  • Append-only recording.

Organisations may require sending logs to vendors to address incidents and faults. When this is necessary, logs should be “de-identified” (as per ISO 27001:2022 Annex A 8.11) with the following info masked:

  • IP addresses.

  • Hostnames.

  • Usernames.

To ensure PII is protected, steps should be taken in accordance with the organisation’s data privacy regulations and existing laws (refer to ISO 27001:2022 Annex A 5.34).

Guidance on Log Analysis

When assessing logs to pinpoint, tackle and explain cyber security incidents – with the aim of preventing recurrences – consider the following:

  • The personnel conducting the analysis possess a high level of expertise.

  • Logs are analysed in accordance with company protocol.

  • The events to be analysed must be categorised and identified by type and attribute.

  • Exceptions that result from network rules generated by security software, hardware, and platforms are to be applied.

  • The typical progression of network traffic as opposed to unpredictable patterns.

  • Specialised data analysis reveals trends that are noteworthy.

  • Threat intelligence.

Guidance on Log Monitoring

Log analysis should be conducted jointly with thorough monitoring activities that detect essential patterns and uncommon behaviour.

Organisations should take a two-pronged approach to reach their goals:

  • Review any attempts to access secure and business-critical resources, such as domain servers, web portals, and file-sharing platforms.

  • Examine DNS records to identify any outgoing traffic associated with malicious sources and detrimental server procedures.

  • Gather data usage records from service vendors or internal systems to recognise any malicious behaviour.

  • Gather records from physical entry points, like key card/fob logs and room access data.

Supplementary Information

Organisations should ponder utilising specialised utility programs to sift through the immense amount of information produced by system logs, thus saving time and resources when probing security incidents, e.g. a SIEM tool.

If an organisation employs a cloud-based platform for any part of their operations, log management should be a shared responsibility between the service provider and the organisation.

Accompanying Annex A Controls

  • ISO 27001:2022 Annex A 5.34

  • ISO 27001:2022 Annex A 8.11

  • ISO 27001:2022 Annex A 8.17

  • ISO 27001:2022 Annex A 8.18

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.15 supersedes three controls from ISO 27001:2013 which cover the storing, managing and analysing of log files:

  • 12.4.1 – Event Logging
  • 12.4.2 – Protection of Log Information
  • 12.4.3 – Administrator and Operator Logs

ISO 27001:2022 Annex A 8.15 largely aligns the guidance from the three controls previously discussed, forming a clear protocol that covers logging, along with some notable additions such as:

  • Guidelines that address the protection of log information in an expanded manner.

  • Advice on the different kinds of occurrences that should be examined closely.

  • Guidance on monitoring and analysing logs to improve information security.

  • How to manage logs generated by cloud-based platforms.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

The ISMS.online platform facilitates the entirety of ISO 27001 implementation, beginning with risk assessment activities, and concluding with the establishment of policies, procedures, and guidelines to meet the standard’s criteria.

ISMS.online provides organisations with a straightforward path to ISO 27001 compliance via its automated tool-set. Its user-friendly features make it simple to demonstrate adherence to the standard.

Get in touch with us now to arrange a demonstration.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more