Log Integrity and Protection Measures Verified

Logs are protected against unauthorised modification, deletion, or tampering through strict access controls and, where required, digital signatures or hashing. Access Control List (ACL) for the log repository and evidence that even system administrators cannot modify or delete historic log entries.

Accurate Clock Synchronisation Confirmed

All systems involved in log generation utilize a synchronised time source to ensure accurate chronological correlation during incident response. NTP (Network Time Protocol) configuration settings across a sampled batch of servers, routers, and workstations.

Privileged User Activity Monitoring Validated

Specific monitoring is active for accounts with elevated privileges, capturing every command or configuration change executed. SIEM dashboard filters or specific audit reports focused solely on "Superuser" or "Domain Admin" activities.

Log Retention Period Compliance Verified

Logs are retained for a period that aligns with legal, regulatory, and business requirements as specified in the data retention schedule. Data retention settings within the SIEM or log storage tiers (e.g., Hot/Cold storage settings showing 365+ days).

Log Storage Capacity Management Confirmed

Adequate storage is allocated for logs to prevent data loss due to disk exhaustion or ingestion throttling. Monitoring alerts for log storage capacity and historic logs showing no "drops" or "gaps" during peak traffic periods.

Continuous Log Review and Alerting Validated

Logs are actively reviewed, either manually or via automated correlation rules, to identify and alert on potential security incidents. List of active SIEM correlation rules and a history of alerts generated and triaged by the security team.

Log Handling Awareness and Training Verified

Personnel responsible for log management and review are appropriately trained and aware of their responsibilities regarding log integrity. Training records for SOC analysts and system administrators specific to log management tools and security analysis.

ISO 27001 Annex A 8.15 Audit Checklist [+ Templates]

In this ultimate how to audit guide to ISO 27001 Annex A 8.15 Logging, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

ISO 27001 Annex A 8.15 Logging Audit Checklist

ISO 27001 Annex A 8.15 Logging Audit Checklist

Auditing ISO 27001 Annex A 8.15 Logging is the systematic technical verification of the generation, protection, and analysis of security event logs. The Primary Implementation Requirement is centralised, immutable log storage with automated correlation, providing the Business Benefit of rapid incident detection and indisputable forensic evidence during security investigations.

This technical verification framework is designed for lead auditors to establish the integrity and completeness of event logging within the ISMS. Use this checklist to validate compliance with ISO 27001 Annex A 8.15.

1. Log Generation Scope Alignment Verified

Verification Criteria: Event logs are generated for all security-relevant events including user access, privileged actions, system failures, and security alerts across the infrastructure.

Required Evidence: Configuration files or policy documents defining the specific event IDs and log levels (e.g., Information, Warning, Error) captured.

Pass/Fail Test: If critical systems (e.g., production databases or firewalls) are not generating logs for administrative login attempts, mark as Non-Compliant.

2. Log Attribute Completeness Confirmed

Verification Criteria: Each log entry contains sufficient detail to facilitate an investigation, including User ID, event type, date/time, success/failure status, and source/destination identifiers.

Required Evidence: Raw log samples from the SIEM or central log repository demonstrating the presence of all required metadata fields.

Pass/Fail Test: If log entries lack a unique identifier for the user or the specific system that generated the event, mark as Non-Compliant.

3. Centralised Log Repository Implementation Validated

Verification Criteria: Logs are transmitted from local assets to a centralised, dedicated log management system or SIEM in near real-time.

Required Evidence: Architecture diagram and data ingestion logs from the central repository (e.g., Splunk, Sentinel, ELK).

Pass/Fail Test: If security logs are only stored locally on the originating server with no off-site or centralised backup, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

How to Audit ISO 27001 Annex A 8.15: Logging

Table of contents

ISO 27001 Annex A 8.15 Logging Audit Checklist

1. Log Generation Scope Alignment Verified

2. Log Attribute Completeness Confirmed

3. Centralised Log Repository Implementation Validated