CIS Controls 8.3: Ensure Adequate Audit Log Storage
Audit logs are only valuable if you can actually store and access them. CIS Controls 8.3 requires organizations to maintain sufficient storage capacity to support their audit log management policies—preventing data loss and ensuring compliance investigations succeed. Without proper storage planning, your logs become liabilities instead of assets.
What this means
This control mandates that your logging infrastructure has adequate capacity to store logs according to your enterprise's defined retention periods. It's about ensuring logging destinations (SIEM systems, cloud storage, databases) won't overflow, truncate historical records, or force premature deletion of evidence needed for security investigations and compliance audits.
How to comply
- 1.Calculate total log volume generated daily across all systems, applications, and endpoints
- 2.Define retention periods based on regulatory requirements and your incident response needs
- 3.Multiply daily volume by retention period to determine required storage capacity
- 4.Add 20-30% buffer for growth and unexpected log increases
- 5.Implement automated log rotation and archival policies to manage active storage
- 6.Monitor storage utilization monthly and establish alerts at 70-80% capacity thresholds
- 7.Document storage capacity decisions and review them annually during policy updates
Evidence auditors look for
- Storage capacity planning spreadsheet showing daily log volume calculations and retention requirements
- Logging infrastructure specifications documenting disk allocation and scalability provisions
- SIEM or log management tool configuration confirming retention policies and storage limits
- Monitoring dashboards showing storage utilization trends and capacity headroom
- Change management records for storage expansions or upgrades
- Annual capacity reviews demonstrating proactive planning adjustments
- Incident response procedures referencing log availability and historical data access
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks your logging infrastructure capacity and alerts you when storage utilization approaches thresholds, eliminating manual calculations and preventing compliance gaps from insufficient audit log storage.
See how GRCWatch handles this control automatically
Start free trial