In this ultimate how to implement guide to ISO 27001 Annex A 8.15 Logging, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A Logging Implementation Checklist
- 1. Define the Event Logging Policy
- 2. Enable OS-Level Audit Trails
- 3. Configure Application and Database Logging
- 4. Implement Centralised Log Forwarding
- 5. Enforce Immutable Storage (Write-Once)
- 6. Synchronise Log Timestamps
- 7. Configure Automated Log Rotation and Retention
- 8. Monitor the Logging Facility Itself
- 9. Restrict Access to Log Data
- 10. Verify Log Integrity and Recoverability
- ISO 27001 Annex A 8.15 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 8.15 is a technical imperative for event logging and anomaly detection. It requires organizations to capture user activities, faults, and security events across all systems. This robust logging architecture ensures data integrity and forensic readiness, allowing security teams to reconstruct timelines and effectively respond to cyber incidents.
ISO 27001 Annex A Logging Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.15. Compliance here is technical, not administrative; if your logs are stored locally on the compromised asset, you have merely provided the attacker with a scratchpad to delete.
1. Define the Event Logging Policy
Control Requirement: Production of logs recording user activities, exceptions, faults, and information security events.
Required Implementation Step: Create a technical standard that mandates exactly which events must be captured across all Operating Systems (e.g., Successful Logins, Failed Logins, Sudo escalation, File Permission changes). Do not leave this to default vendor settings, which are often insufficient.
Minimum Requirement: Explicitly define the “Who, What, Where, When” data schema for all critical assets.
2. Enable OS-Level Audit Trails
Control Requirement: Recording of system-level administrator and operator logs.
Required Implementation Step: Configure auditd on Linux and the ‘Advanced Audit Policy Configuration’ on Windows Servers. Specifically enable ‘Object Access’, ‘Privilege Use’, and ‘Account Logon’ auditing to capture granular events rather than just high-level noise.
Minimum Requirement: Disable “Success” logging for high-volume file reads to save disk space; focus on “Failure” and “Privilege Escalation”.
3. Configure Application and Database Logging
Control Requirement: Application-specific security events must be recorded.
Required Implementation Step: Edit the configuration files for your middleware (e.g., Nginx access.log, IIS Logging) and databases (e.g., SQL Server Audit Specifications). Ensure they capture injection attempts, schema changes, and access to sensitive tables.
Minimum Requirement: Default error logs are not enough; you must enable access/transaction logging.
