ISO 27001 Logging and Monitoring Policy: the ultimate guide

Home / ISO 27001 Templates / ISO 27001 Logging and Monitoring Policy: the ultimate guide

Introduction

In this ultimate guide I show you everything you need to know about the Logging and Monitoring Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.

We will get to grips with what logging and monitoring is, understand why organisations need a Logging and Monitoring Policy, show you how to write one, and let you in on trade secret’s that’ll save you hours of time and effort.

I am Stuart Barker: founder of High Table, Information Security expert and ISO 27001 Ninja, and this is the ISO 27001 Logging and Monitoring Policy.

What is a Logging and Monitoring Policy?

The Logging and Monitoring Policy sets out the guidelines and the framework for how you monitor systems, the logs that you keep and what you do with them.

This Logging and Monitoring Policy is about identifying the risks of system based security events by the use of logging and monitoring tools and techniques.

Purpose

The purpose of this policy is to address the identification and management of risk of system-based security events by logging and monitoring systems.

To record events and gather evidence.

Why is it important?

There is no doubt at all that systems are going to have information security events that occur. These are events that threaten the integrity of our data and more specifically the confidentiality, integrity and availability of data.

If you do not implement tools, techniques and processes for logging and monitoring on those systems we will not know when these events happen. Things could go undetected for days, week, months or even years.

It is important to be able to detect when things go wrong so that you can manage them.

It may well be the case that false positives occur and our processes also need to take this into account.

Of course the requirements of the law take precedence so no matter what you do, it is vitally important to ensure that it is done in the bounds of the law.

What should it contain?

The Logging and Monitoring Policy is required to be presented in a certain way. What is meant by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. You will need version control, a version number, an owner, an information security classification.

An example table of contents would look something like this:

Purpose
Scope
Principle
Event Logging
Event Logging Access Control
Protection of Event Log Information
Administrator and operator logs
Clock synchronisation
Event Log Monitoring
Event Log Retention
Centralised Logging
Personal Privacy
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
Areas of the ISO27001 Standard Addressed

It can be straight forward to write a Logging and Monitoring Policy. These are the steps that you would take.

How to write it

Let me step you through how to write an ISO 27001 Logging and Monitoring Policy.

Implementation Summary Steps

  1. Define the policy purpose
  2. Define the policy scope
  3. Define the policy principle
  4. Set out what we do for event logging
  5. Lay out how we give access to event log information
  6. Describe how we protect event logs
  7. Describe what we do with admin and privilege accounts
  8. Set out the approach to clock synchronisation
  9. Set out how we monitor logs
  10. Define how long logs are retained
  11. Provide our approach to centralised logging
  12. Understand any legal and regulatory impact
  13. Be clear on our commitment to personal privacy
  14. Set out the approach to managing improvement

Contents Page

You insert a contents table.

Logging and Monitoring Policy Purpose

The policy records its purpose as addressing the identification and management of risk from system-based security events through logging and monitoring systems. It achieves this by recording events and gathering evidence.

Logging and Monitoring Policy Scope

The policy shows that the scope includes all employees, third-party users, and all devices used to process, store, or transmit company information.

Logging and Monitoring Policy Principle

The policy states that all devices processing, storing, or transmitting confidential, cardholder, or personal information must have audit and logging enabled whenever logging is possible, practical, and can generate audit logs.

Event Logging

Produce, keep, and regularly review event logs that record user activities, exceptions, faults, and information security events.

Event logs should include, when relevant:

  • user IDs.
  • system activities.
  • dates, times, and details of key events, e.g., log-on and log-off.
  • device identity or location if possible and system identifier.
  • records of successful and rejected system access attempts.
  • records of successful and rejected data and other resource access attempts.
  • changes to system configuration.
  • use of privileges.
  • use of system utilities and applications.
  • files accessed and the kind of access.
  • network addresses and protocols.
  • alarms raised by the access control system.
  • activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems.
  • records of transactions executed by users in applications.
  • identity or name of affected data, system component, or resource.

Automated monitoring systems which can generate consolidated reports and alerts on system security are used where possible.

Event Logging Access Control

Only authorised personnel can access event logging and monitoring systems. These systems and reports are closely guarded, following the access control policy and data retention schedule. Ideally, system administrators wouldn’t have the ability to delete or disable logs of their own actions.

Event logging and monitoring is performed by authorised personnel only.

Event logging and monitoring systems and reports are strictly protected and restricted in line with the access control policy and data retention schedule.

Where possible, system administrators should not have permission to erase or de-activate logs of their own activities.

Protection of Event Log Information

Event logging and monitoring is performed by authorised personnel only.

Event logging and monitoring systems and reports are strictly protected and restricted in line with the access control policy and data retention schedule.

Where possible, system administrators should not have permission to erase or de-activate logs of their own activities.

Administrator and operator logs

Event logging and monitoring is performed by authorised personnel only.

Event logging and monitoring systems and reports are strictly protected and restricted in line with the access control policy and data retention schedule.

Where possible, system administrators should not have permission to erase or de-activate logs of their own activities.

Clock synchronisation

The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source.

Time data is protected.

Time settings are received from industry-accepted time sources.

Event Log Monitoring

Responsibilities are assigned for the analysing and monitoring of events.

High risk events automatically alert to the incident management process.

Log files are reviewed daily.

The following shall be reviewed daily:

  • All security events
  • Logs of all system components that store, process, or transmit CHD and/or SAD
  • Logs of all critical system components
  • Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).

Event Log Retention

Event logs from the last 3 months are immediately available.

Event logs are retained for 12 months.

Centralised Logging

Centralised logging to a remote dedicated log server should be considered.

Compliance Section

And then within our policy as we complete our policy we can see that we have the compliance section that is covered on other tutorials.

ISO 27001 Templates

The Logging and Monitoring Policy Template is part of the Ultimate ISO 27001 Toolkit and also exclusively available stand-alone. It is prewritten, fully populated and ready to go and fully complies with ISO27001:2022.

ISO 27001 Logging and Monitoring Policy Template

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

Example

This is a great example of the Logging and Monitoring. Taking the first 3 pages being the contents of what it includes.

ISO 27001 Logging And Monitoring Policy Example 1
ISO 27001 Logging And Monitoring Policy Example 2
ISO 27001 Logging And Monitoring Policy Example 3

FAQ

What are the benefits of ISO 27001 Logging and Monitoring Policy?

Other than your ISO 27001 certification requiring it, the following are benefits of having the ISO 27001 Logging and Monitoring:

  1. Improved security: You will identify information security events in a timely manner and be able to react to them and manage them.
  2. Reduced risk: Ensuring systems are monitored will reduce the risk of attack and exploit
  3. Improved compliance: Standards and regulations require that you monitor and log security events
  4. Reputation Protection: In the event of a breach having effective logging and monitoring management will reduce the potential for fines and reduce the PR impact of an event

Who is responsible for the ISO 27001 Logging and Monitoring?

This will depend on the structure and make up of your organisation. If you have an operations manager then it will sit with them. Otherwise, responsibility will be assigned the information security manager.

Who is responsible for implementing the ISO 27001 Logging and Monitoring Policy?

This is the technical teams responsible for the systems that are being monitored and logged. In general terms you would say IT but it will require specialists in the technologies that you have deployed.

How do you monitor the effectiveness of the ISO 27001 Logging and Monitoring Policy?

The approaches to monitoring the effectives of monitoring and logging include:

  1. Technical reports from technical monitoring implementations
  2. Internal audit of the logs and monitors process
  3. External audit of the logs and monitors process
  4. Review of incidents and changes

What are examples of a violation of the Logging and Monitoring Policy?

Examples of where the policy can fail or violations of the ISO 27001 Logging and Monitoring Policy can include:

  • Not protecting access to logs
  • Monitoring the wrong things
  • Monitoring that breaches the law and personal privacy

What are the consequences of violating the ISO 27001 Logging and Monitoring Policy?

Not monitoring for information security events can have severe consequences for information security and the confidentiality, integrity and availability of data and systems. 

The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue, loss of clients and customers, negative PR.

How often is the Logging and Monitoring Policy reviewed?

The Logging and Monitoring Policy is reviewed after any significant change that affects the organisation and at least annually.

ISO 27001 and the ISO 27001 Logging and Monitoring Policy

The following are ISO 27001 controls relevant to Logging and Monitoring to consider for further reading:

ISO 27001 Annex A 8.15 Logging