The basics
ISO 27001 control A.8.15 Logging requires companies to produce, store, protect and analyze records of relevant events. This enables companies to identify occurred or ongoing incidents, or identify trends and attempts to compromise information.
Documentation
ISO 27001 control A.8.15 Logging can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Logging & Monitoring Procedure
These documents are not mandatory but are recommended.
Implementation
In order to comply with control A.8.15 Logging you might implement the following:
- Technology — the technology to enable logging could include software (e.g., event logs of an operational system, a logging tool, etc.) or hardware (logging server). Smaller companies will probably be able to log events from features built in their own existing systems, whereas larger companies probably need some software that gathers and analyzes large volumes of data logs and correlates data from recorded events.
- Organization/processes — you should set up a process for producing, keeping, and reviewing event logs. What should be logged may be identified through the defined process for risk assessment and treatment. You can document those processes through Security Procedures for IT Department or a Logging & Monitoring Procedure.
- People — make employees aware of why logging events is needed, and train IT staff on how to set logging configurations and review gathered logs.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.15 Logging: if records of relevant events are produced, stored, protected, and analyzed.
