A.12.

4: Logging and Monitoring Controls

1. Understanding Logging and Monitoring (Annex A.12.4)
• Core Objective: "To record events and generate evidence". This is crucial for detecting
unauthorized activities, investigating incidents, understanding system faults, and
demonstrating due diligence.
• Evidence Generation: Logs must be of a quality and integrity suitable for formal use (internal,
regulatory, legal).
• Four Sub-Controls (Pillars):
o A.12.4.1 Event Logging: Producing, keeping, and reviewing event logs.
o A.12.4.2 Protection of Log Information: Safeguarding logs from tampering and
unauthorized access.
o A.12.4.3 Administrator and Operator Logs: Specific logging for privileged user
activities.
o A.12.4.4 Clock Synchronisation: Ensuring consistent time across systems.
o These controls are interdependent for overall effectiveness.
• Foundational Role: Essential for "defence-in-depth", providing detective and investigative
capabilities. Helps prevent security events from going undetected for extended periods.
• Broader Benefits: Supports IT operations (fault diagnosis) and compliance with various
regulations (GDPR, HIPAA, SOX).
2. A.12.4.1: Event Logging
• Control Requirement: "Event logs recording user activities, exceptions, faults and information
security events need to be produced, kept and reviewed regularly".
o Produce: Configure systems to generate logs.
o Keep: Define retention periods and plan for storage.
o Regularly Review: Actively examine logs to detect anomalies and incidents; this is
key for monitoring.1 Specialized tools like SIEM can assist.
• Key Events to Log:
o Access control events (successful/rejected attempts).
o User activities.
o Privilege use/escalation.
o System configuration changes.
o Application/utility usage.
o File access (especially important data).
o Security system events (AV, IDS alerts).
o Identity management events.
o Transactions.
o Faults and exceptions.
• Balancing Act: Log critical events based on risk assessment to avoid "alert fatigue" and
overwhelming data volumes.
• Essential Log Fields: Timestamp, User ID, System/Application Name, Source/Destination IP,
Device ID, Event Type/ID, Event Description, Action Taken, Success/Failure Status, Network
Protocol.
• Practical Considerations:
o Storage: Plan for sufficient capacity.
o Tools: Centralized log management and SIEM systems for aggregation, analysis,
correlation, and alerting.
o Personnel: Skilled staff needed to configure tools, interpret output, and respond.
3. A.12.4.2: Protection of Log Information
• Control Requirement: "Logging facilities and log information must be protected against
tampering and unauthorised access". This covers the entire logging pipeline.
• Criticality:
o Evidentiary Value: Protects log credibility for investigations (must be "forensically
sound").
o Regulatory Compliance (PII): Logs often contain PII (user IDs, IPs), making
protection vital for data privacy laws (e.g., GDPR). Attackers may target logs to steal
PII or cover tracks.
• Protection Strategies (Technical & Procedural):
o Access Controls: Strict, role-based access, strong authentication.
o Integrity Mechanisms: Append-only storage, WORM media, cryptographic
hashing/digital signatures.
o Confidentiality: Encryption at rest and in transit.
o Segregation of Duties: Prevent admins from altering their own activity logs.
o Physical Security: Protect systems storing logs.
o Secure Transmission: Encrypted protocols (TLS/SSL).
o Regular Backups: Securely backed up and potentially stored off-site.

4. A.12.4.3: Administrator and Operator Logs

• Control Requirement: "Any system administrator and system operator activities need to be
logged and the logs protected and regularly reviewed".
• Rationale:
o Accountability: Attribute actions to specific privileged users.
o Detection of Misuse: Identify unauthorized changes, privilege abuse, or compromised
accounts. "Special consideration should be given to greater levels of logging for
privileged accounts".
o Acts as a deterrent.
• Specific Considerations:
o Granularity: May require more detail (e.g., exact commands).
o Review Frequency: Potentially more frequent or real-time review.
o Stricter Protection: Crucial that these logs are protected from alteration by the
admins/operators themselves.
o Alerting: Configure alerts for high-risk privileged activities.
• Focus Areas for Logging: System configuration changes, user account management
(especially privileged accounts), security settings modification, software installation/updates,
access to sensitive data/systems, log management activities, use of privileged commands,
backup/restore operations.

5. A.12.4.4: Clock Synchronisation

• Control Requirement: "The clocks of all relevant information processing systems within an
organisation or security domain must be synchronised to a single reference time source".
• Indispensable Role:
o Accurate Event Correlation: Essential for piecing together events from multiple log
sources during investigations. Without it, establishing a clear timeline is "impossible
or very difficult".
o Forensic Soundness: Underpins the reliability of all logged evidence.
• Implementation:
o Protocols: Network Time Protocol (NTP) is common; Precision Time Protocol (PTP)
for higher precision.
o Reference Sources: Use authoritative external NTP servers or internal servers
synchronized to them. Use multiple sources for redundancy.
 o Hybrid Environments: Address time synchronization across on-premises, private, and
public cloud systems. Document discrepancies.
• Best Practices: Reliable time sources, consistent protocol use (NTP), correct network
configuration, NTP hierarchy, regular monitoring/verification, documentation, and security of
NTP (authentication).

6. Bringing It All Together: Effective Log Management Practices

• Logging and Monitoring Policy: A formal document outlining objectives, scope,
responsibilities, event types to log, review procedures, retention periods, and protection
measures.
• Log Review, Analysis, and Interpretation:
o Requires skilled personnel.
o Establish baselines of normal behavior.
o Correlate logs from multiple sources (SIEM is key).
o Use threat intelligence feeds.
o Implement rule-based alerting.
o Ensure regular and consistent review.
o Document findings.
o Human expertise is vital alongside tools to tune rules and minimize false positives.

• Log Retention:
o Define periods based on business, legal/regulatory (e.g., SOX, HIPAA, GDPR, PCI
DSS), contractual, and investigative needs.
o Balance needs against storage costs and risks of holding sensitive data (PII) for too
long.
o Often results in tiered retention schedules.

• Secure Disposal of Log Data:

o Crucial to prevent unauthorized access to old logs.
o Methods depend on media:
§ Physical: Shredding, pulverization, degaussing, physical destruction.
§ Digital: Secure erasure/wiping, cryptographic erasure.
o Document disposal processes.

• Links to Other ISMS Processes:

o Incident Management (A.16): Logs are vital for reporting events (A.16.1.2),
assessment (A.16.1.4), response (A.16.1.5), and evidence collection (A.16.1.7).
o Information Systems Audits (A.12.7): Logs provide key evidence for auditors to verify
control effectiveness and compliance.