The article discusses the logging requirements of ISO 27001 cyber security. It highlights the purpose of Annex A 8.15 and what organizations shall do to implement this control.

According to Statista, more than 422 million individuals were affected by data leakage, breaches, exposure, and compromises in the US in 2022. These events have led to unauthorized access to critical and sensitive data.

When these types of incidents arise, one of the first questions individuals ask is how did this happen? They wonder when and where things went wrong or who is responsible for the breach.

The ISO 27001 cyber security standard aims to help organizations get answers to these queries whenever a data breach occurs with an effective logging control as per Annex A 8.15.

Dive into the following section to learn the Annex A 8.15 requirements of ISO 27001 and how your organization can comply with it to get to the root of data breaches.

Purpose of Annex A 8.15 in the ISO 27001 Cyber Security Standard

Logs are records about incidents, systems, user activities, and access. They are crucial for achieving an overview of the involvement of personnel and ICT activities.

They allow organizations to create a timeline of occasions and analyze logical and physical trends across the network.

Annex A 8.15 of ISO 27001 cyber security certification requires organizations to produce, store, protect, and analyze logs that record activities, faults, exceptions, and other relevant events.

Also, your organization shall regularly check the logs for:

• Recording occurrences
• Acquiring proof and gathering data
• Maintaining the integrity of information
• Ensuring the log is secure from unauthorized access
• Identify occurrences and activities that can cause a breach
• Using the logs for internal and external inquiries

Guidance on Event Log Information

In this context, an event refers to an activity carried out by a logical or physical entity on computer systems, such as a request for remote login, data, deletion of a file, or automatic shutdown.

According to ISO 27001 cyber security standard, each event log must contain five primary components to fulfill its purpose:

• The user ID associated with the personnel
• System activity to monitor and identify the activities that took place
• The date and time of the event
• The devices or systems where the event took place
• Network addresses, protocols, and IP information

Guidance on Event Types

Logging every occurrence on a network might be impractical for larger organizations.

In that case, ISO 27001:2022 Annex A 8.15 specifies ten events that organizations must log in:

• Tracking and monitoring of system access attempts
• Monitoring the attempts to access data or resources and related suspicious activities
• Alterations of system/OS configuration
• Use of high-level privileges
• Use of maintenance facilities or utility programs
• File access, deletion, and migration requests
• Critical interrupts and access control alarms
• Deactivation or activation of back and front-end security systems,
• Identity administration
• Modifications or actions taken for the system/data during a session with the application

Besides these requirements, ISO 27001:2022 Annex A 8.17 recommends organizations sync all their logs to the same time source. Plus, in the event of third-party application logs, companies must address time discrepancies.

How to Approach Log Protection?

ISO 27001 cyber security management standard recognizes the importance of logs in determining user, application, and system activity on networks.

Thus, the standard requires companies to maintain their event logs and not allow anyone to delete or alter the logs. It also says that each log should be complete, accurate, and protected against unauthorized disruptions, such as:

• Edited or deleted log files
• Message type amendments
• Failure to produce a log
• Overwriting of logs

Your organization can use the following ISO-recommended techniques to safeguard the logs:

• Read only recording
• Use of public transparency files
• Append-only record
• Cryptographic hashing

Furthermore, when you encounter incidents or faults, you may be required to send logs to your vendors. At that time, your organization shall de-identify by masking the following information:

• IP address
• Hostnames
• Usernames

Additionally, you shall take steps to protect the PII per the data privacy regulations of your company and existing laws.

Approaching Log Analysis

When evaluating logs to tackle, explain, and pinpoint cyber security incidents, you shall consider the following requirements to prevent recurrences:

• The individual conducting the analysis has a high level of expertise
• The organization shall analyze the log as per company protocol
• You must categorize and identify the analyzed events by attributes and types
• Exceptions resulted from network rules
• Typical network traffic progression against unpredictable patterns
• Trends revealed by specialized data analysis
• Threat intelligence

Guidance on Log Monitoring

ISO 27001 cyber security standard requires companies to perform log monitoring activities to stimulate log analysis and detect patterns of uncommon behavior.

Here are the actions you can take to meet this requirement:

• Review any attempts to access business-critical and security resources
• Examine DNS records to detect outgoing traffic associated with detrimental procedures or malicious sources
• Get data usage records from internal systems or service vendors to identify malicious behavior
• Gather records from physical entry points

Final Words

These are the primary requirements of ISO 27001 cyber security regarding information login. Besides these rules, the standard recommends organizations use specialized utility programs to browse through immense amounts of information to save time and resources. If you employ a cloud-based platform, you and the service provider shall be responsible for log management.

Blue Wolf Certifications is a business partner to various accredited certification bodies. To put it another way, we are one of their auditors, a regional office.

Our auditors have been described as transparent, open, fair and supportive. And even easy to talk to and helpful.

Our audits have been described as friendly, relaxing, straightforward, orderly, professional and painless.

Take the advice of our clients, we will make your ISO certification journey easier and less stressful.

Author's Bio: 

The author has been an ISO certification audit specialist for the last 37 years. Now, in his leisure, he invests in research and writing blogs and articles on different topics associated with ISO standards and audit assessments.