Logging

ISO 27001:2022 control A.8.15 (Logging) is a technological control requiring organizations to actively produce, securely store, protect, and periodically analyze event logs. These ISO 27001 A.8.15 logging requirements ensure a trail of system activities, faults, and exceptions is maintained for security monitoring and post-incident forensic investigation.

When determining what events should be logged for ISO 27001, organizations should focus on successful and failed authentications, changes to system configurations or user privileges, network boundary crossings, and application faults. Privileged user activity logging ISO 27001 is particularly critical to track actions performed by administrators.

Organizations should conduct a risk assessment to determine the scope of their security log management program. Systems that process sensitive data, host critical applications, or face the public internet should be prioritized. Detailed requirements should be documented in an ISO 27001 logging and monitoring policy template.

How long to retain logs for ISO 27001 depends entirely on an organization's legal, regulatory, and contractual obligations, as well as its incident response capabilities. Common benchmarks involve keeping logs easily searchable (hot) for 30 to 90 days, and archived (cold) for 1 year, justified within a formal audit log retention policy. Tools like WatchDog Security's Policy Management can help maintain approved retention standards and acceptance records, while WatchDog Security's Compliance Center can help map the policy to A.8.15 and track evidence collection over time.

Knowing how to protect audit logs from tampering requires utilizing strong logical access controls, so even system administrators cannot modify their own logs. Advanced log integrity controls (WORM, hashing, immutability) should be applied to archive storage to guarantee logs cannot be altered or prematurely deleted.

While a dedicated SIEM is not strictly mandatory for every organization, centralized logging best practices ISO 27001 are highly recommended. For modern, complex environments, SIEM requirements for ISO 27001 compliance naturally emerge as it is the most efficient way to aggregate, protect, and analyze massive volumes of log data.

Control A.8.15 focuses on the generation, retention, and protection of the raw log data itself (the 'what' and 'where'). Control A.8.16 focuses on the active analysis and surveillance of those logs to detect anomalous behavior and trigger incident response workflows (the 'action').

Logs should ideally be analyzed continuously using automated tools that generate alerts based on predefined rules. Manual reviews of those alerts, or broader trend analysis, should be conducted periodically—such as daily or weekly—by the security operations team to satisfy continuous monitoring requirements.

Auditors expect to see cloud logging (AWS CloudTrail, Azure, GCP) ISO 27001 evidence, such as configuration screenshots proving logs are enabled. They will also request an audit log retention policy, screenshots of restricted access permissions to log storage buckets, and evidence of resolved alerts generated by the logging system. Tools like WatchDog Security's Compliance Center can help organize this evidence, link it to A.8.15, and maintain an audit-ready trail of reviews and remediation tickets.

Common pitfalls include failing to aggregate logs, allowing system administrators the ability to delete their own audit trails, or having insufficient storage space leading to logs being overwritten. Another major nonconformity is neglecting clock synchronization across systems, making it impossible to accurately reconstruct timelines across different log sources.

Logging programs often fail during audits because retention rules, review records, and evidence are scattered across teams and tools. WatchDog Security's Compliance Center can help map A.8.15 requirements to owners and evidence requests, while WatchDog Security's Policy Management can help maintain approved retention standards with version control and acceptance tracking.

Teams often miss log sources in fast-changing environments, especially across multiple clouds and SaaS apps. WatchDog Security's Asset Inventory can help identify systems and services that should produce logs, and WatchDog Security's Posture Management can help detect misconfigurations such as disabled audit logging, weak log storage permissions, or missing retention settings aligned to A.8.15.