Logs act as digital diaries for effective information security. It allows organizations to follow meticulous recording steps and keep track of valuable interactions and events.
Additionally, logs are helpful when evaluating incidents. If anything goes wrong in your ISMS, you can use the recorded logs to find out precisely where things went wrong and who is responsible for it.
It is why ISO 27001 certification consultants, as well as the standard itself, encourage organizations to implement controls for effective logging.
In clause 8.15 of Annex A of ISO 27001, you will find the control requirement for producing, storing, protecting, and analyzing logs.
In today’s blog, we offer a breakdown of this requirement to help you comply with it.
So, if your company is pursuing the ISO 27001 certification, continue reading!
Logging Requirements In ISO 27001 Certification: Your ISO Audit Consultants
According to ISO 27001:2022, your ISMS logs should record activities, faults, exceptions, and other relevant events.
Overall, the control should focus on
•Recording events,
•Collecting evidence,
•Protecting information integrity,
•Securing log data against unauthorized access
•Identifying events and actions that can lead to data or security breaches,
•Acting as a tool in investigating internal and external matters.
What To Include In The Event Log?
ISO 27001 certification consultants explain that events are actions performed by a physical or logical presence on a computer system. For instance, it could be something like requesting data or deleting a file.
What you should include in the event log essentially depends on your operations. Yet, there are a few pointers that every event log should contain.
They are:
•User ID: Who or what account completed the event or performed the actions,
•System activity: What happened,
•Timestamps: Date and time of the actions or events,
•System and device identifiers and location: The system where the event occurred,
•Network address and protocols: IP information.
What Events Should You Record?
Logging every event may not be possible for your organization. In that case, ISO 27001 certification consultants and Control 8.15 highlight 10 critical events that you should definitely log in.
•System access attempts,
•Data or resource access attempts,
•System or OS configuration changes,
•Using elevated privileges,
•Using maintenance facilities or utility programs,
•File access, deletion, migration requests,
•Access control interruptions and alarms,
•Activation and deactivation of security systems,
•Identity administration work,
•Specific suspicious actions, such as data alterations,
How To Protect The Logs?
Logs play a vital role in establishing system and user behavior during investigation.
Therefore, it’s essential to protect their integrity and prevent users from deleting or modifying their own logs.
Reputed ISO 27001 certification consultants agree that each log should be complete, safeguarded, and accurate.
Experts recommend the following methods for protecting logs.
•Cryptographic hashing,
•Append-only recording,
•Read-only recording,
•Using public transparency files,
If your organization needs to send logs to suppliers to resolve incidents, you should de-identify the logs and mask the following information.
•Usernames,
•IP addresses,
•Hostnames.
Additionally, you shall take measures to secure personally identifiable information as per the organization’s data privacy protocols and applicable legislation.
What To Consider When Analyzing The Logs?
When you need to analyze the logs for identifying, resolving, and analyzing information security issues, you must consider the following factors.
•The competence of the person carrying out the analysis,
•The methods of analyzing the logs,
•The category, attributes, and type of each event that you need to analyze,
•Exceptions applied via network rules emerging from security platforms,
•The default network traffic flow compared to unexplainable patterns,
•Trends resulting from specialized data analysis,
•Threat intelligence.
What To Consider When Monitoring The Logs?
Along with log analyzing, ISO 27001 certification consultants recommend monitoring the logs to analyze key patterns and anomalous behavior.
For effective log monitoring, you should consider
•Reviewing attempts to access critical resources, such as web portals, file-sharing platforms, and domain servers,
•Scrutinize logs to keep an eye on outgoing traffic linked to dubious sources or dangerous server operations,
•Collect data usage reports to identify malicious activities,
•Collect logs from physical access points like fob logs, key cards, or room access information.
Additional Information
ISO 27001:2022 certification consultants recommend organizations consider utilizing specialized utility programs to search through vast amounts of information. It can help you save time and resources.
If your organization uses a cloud-based platform to carry out any operation related to logging, make log management a shared responsibility. Your organization, as well as the services provider, should take responsibility for the management system.
Furthermore, when implementing this control, you should check out the supporting controls of ISO 27001, including 5.34, 8.11, 8.17, and 8.18.
A lot of people ask how long they should retain the logs. Truthfully, ISO 27001 does not dictate a specific retention period. Therefore, it comes down to your needs. Your organization should specify the log retention period in its policy. If you are still confused, a good rule of thumb is to retain logs for at least three years.
Wrapping Up
So, are you ready to implement the log requirements of ISO 27001? Hopefully, this guide from ISO 27001 certification consultants has helped you understand the control. If you have any further queries, check out the Annex A control list of ISO 27001. Also, make sure you choose skilled and competent experts to oversee the controls and measure their effectiveness periodically.