Auditing ISO 27001 Annex A 8.15 Logging is the systematic technical verification of the generation, protection, and analysis of security event logs. The Primary Implementation Requirement is centralised, immutable log storage with automated correlation, providing the Business Benefit of rapid incident detection and indisputable forensic evidence during security investigations.
ISO 27001 Annex A 8.15 Logging Audit Checklist
This technical verification framework is designed for lead auditors to establish the integrity and completeness of event logging within the ISMS. Use this checklist to validate compliance with ISO 27001 Annex A 8.15.
1. Log Generation Scope Alignment Verified
Verification Criteria: Event logs are generated for all security-relevant events including user access, privileged actions, system failures, and security alerts across the infrastructure.
Required Evidence: Configuration files or policy documents defining the specific event IDs and log levels (e.g., Information, Warning, Error) captured.
Pass/Fail Test: If critical systems (e.g., production databases or firewalls) are not generating logs for administrative login attempts, mark as Non-Compliant.
2. Log Attribute Completeness Confirmed
Verification Criteria: Each log entry contains sufficient detail to facilitate an investigation, including User ID, event type, date/time, success/failure status, and source/destination identifiers.
Required Evidence: Raw log samples from the SIEM or central log repository demonstrating the presence of all required metadata fields.
Pass/Fail Test: If log entries lack a unique identifier for the user or the specific system that generated the event, mark as Non-Compliant.
3. Centralised Log Repository Implementation Validated
Verification Criteria: Logs are transmitted from local assets to a centralised, dedicated log management system or SIEM in near real-time.
Required Evidence: Architecture diagram and data ingestion logs from the central repository (e.g., Splunk, Sentinel, ELK).
Pass/Fail Test: If security logs are only stored locally on the originating server with no off-site or centralised backup, mark as Non-Compliant.
4. Log Integrity and Protection Measures Verified
Verification Criteria: Logs are protected against unauthorised modification, deletion, or tampering through strict access controls and, where required, digital signatures or hashing.
Required Evidence: Access Control List (ACL) for the log repository and evidence that even system administrators cannot modify or delete historic log entries.
Pass/Fail Test: If a standard system administrator has the technical privilege to delete or alter audit logs within the central repository, mark as Non-Compliant.
5. Accurate Clock Synchronisation Confirmed
Verification Criteria: All systems involved in log generation utilize a synchronised time source to ensure accurate chronological correlation during incident response.
Required Evidence: NTP (Network Time Protocol) configuration settings across a sampled batch of servers, routers, and workstations.
Pass/Fail Test: If system clocks across the infrastructure differ by more than the policy-defined tolerance (e.g., 5 seconds), mark as Non-Compliant.
6. Privileged User Activity Monitoring Validated
Verification Criteria: Specific monitoring is active for accounts with elevated privileges, capturing every command or configuration change executed.
Required Evidence: SIEM dashboard filters or specific audit reports focused solely on “Superuser” or “Domain Admin” activities.
Pass/Fail Test: If the organisation cannot produce a filtered report of all actions taken by a specific administrator in the last 24 hours, mark as Non-Compliant.
7. Log Retention Period Compliance Verified
Verification Criteria: Logs are retained for a period that aligns with legal, regulatory, and business requirements as specified in the data retention schedule.
Required Evidence: Data retention settings within the SIEM or log storage tiers (e.g., Hot/Cold storage settings showing 365+ days).
Pass/Fail Test: If security logs are purged before the mandatory regulatory retention period (e.g., 6 months for certain jurisdictions) expires, mark as Non-Compliant.
8. Log Storage Capacity Management Confirmed
Verification Criteria: Adequate storage is allocated for logs to prevent data loss due to disk exhaustion or ingestion throttling.
Required Evidence: Monitoring alerts for log storage capacity and historic logs showing no “drops” or “gaps” during peak traffic periods.
Pass/Fail Test: If the logging system stopped recording events in the last 90 days due to a “Disk Full” condition, mark as Non-Compliant.
9. Continuous Log Review and Alerting Validated
Verification Criteria: Logs are actively reviewed, either manually or via automated correlation rules, to identify and alert on potential security incidents.
Required Evidence: List of active SIEM correlation rules and a history of alerts generated and triaged by the security team.
Pass/Fail Test: If logs are collected but never reviewed or used to trigger real-time security alerts, mark as Non-Compliant.
10. Log Handling Awareness and Training Verified
Verification Criteria: Personnel responsible for log management and review are appropriately trained and aware of their responsibilities regarding log integrity.
Required Evidence: Training records for SOC analysts and system administrators specific to log management tools and security analysis.
Pass/Fail Test: If the personnel tasked with reviewing logs cannot explain the criteria for escalating a log-based alert, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Log Scope | Tool checks if “Logging is Enabled” in a SaaS portal. | Verify the Detail. Does it log the ‘What’ and ‘Who’, or just the ‘When’? Check for granular event capture. |
| Log Integrity | GRC platform identifies that a SIEM is connected via API. | Test Immutability. Can an admin with a compromised account wipe the logs? If yes, the SIEM is a target, not evidence. |
| Time Sync | SaaS tool assumes cloud servers have correct time. | Check the Correlation. If the Firewall log is 2 minutes ahead of the AD log, an incident timeline is impossible to build. |
| Retention Compliance | Tool marks “Pass” based on a written retention policy. | Verify the TTL Setting. Check the SIEM’s index management. If it’s set to delete after 30 days due to cost, the policy is a lie. |
| Privileged Review | Platform identifies that “Logs are reviewed weekly.” | Check the Audit Trail. Where is the sign-off? A “Pass” requires evidence of a human or AI actually identifying a specific anomaly. |
| Capacity Failures | GRC tool ignores ingestion errors as “Technical Noise.” | Examine Gap Analysis. If 10% of logs are dropped during peak load, the attacker will simply wait for peak load. |
| Alerting Efficacy | Tool confirms that “Alerts are configured.” | Verify Action. If 1,000 alerts fired but zero were investigated, the control is technically present but operationally failed. |
About the author
