ISO 27001 Control 8.15: Logging and Event Recording
Control 8.15 requires organizations to generate, maintain, and analyze comprehensive logs that document all security-relevant activities, exceptions, and faults. Without proper logging, you lose visibility into security events and can't investigate incidents when they occur. This control is foundational to both real-time security monitoring and post-incident forensic analysis.
What this means
Logging under ISO 27001 8.15 means capturing detailed records of system activities, user actions, security events, and exceptions across your infrastructure. These logs must be securely stored to prevent tampering, retained for appropriate periods, and regularly reviewed to detect anomalies and support investigations. The logs serve dual purposes: enabling proactive monitoring to catch threats in real-time and providing evidence trails for incident response and compliance audits.
How to comply
- 1.Define logging requirements across all systems, applications, and network devices that process or handle sensitive data
- 2.Configure systems to record user authentication attempts, access events, configuration changes, and security exceptions
- 3.Establish centralized log storage with appropriate access controls to prevent unauthorized modification or deletion
- 4.Implement log retention policies aligned with legal and regulatory requirements, typically 12 months minimum
- 5.Set up automated log analysis and alerting to detect suspicious patterns and anomalies in real-time
- 6.Conduct regular log reviews to identify security incidents, failed access attempts, and policy violations
- 7.Document logging procedures, retention schedules, and analysis responsibilities in your information security policies
- 8.Test your logging system's ability to capture events during penetration tests and security exercises
Evidence auditors look for
- System and application log configuration documentation showing enabled audit trails
- Log storage infrastructure details including server locations, encryption, and access controls
- Log retention policy document specifying timeframes for different log types
- Automated alerting rules and thresholds configured in SIEM or log management platform
- Sample audit logs from critical systems showing recorded events with timestamps and user identifiers
- Log analysis reports demonstrating regular review of security events and investigations
- Incident investigation reports referencing log evidence used in root cause analysis
- Testing records showing log system functionality validation during security assessments
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates log collection and analysis across your entire infrastructure, flagging ISO 27001 8.15 compliance gaps and generating ready-to-share audit evidence in your compliance dashboard—eliminating manual log reviews and spreadsheet juggling.
See how GRCWatch handles this control automatically
Start free trial