Log Protection

A recent article emphasizes the – sometimes underestimated - importance of log protection:

The related ISO 27001 standard requirement sounds like this:

“Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.”?(A8.15)

The previous edition of the standard contained a whole subsection related to event logging, that contained three controls:

• generate logs
• protect logs
• log operations that require elevated rights

There was one additional control in the subsection on clock synchronization to maintain log synchronicity, that didn’t change.

This is an exquisite example of how the latest ISO 27001 standard edition simplified the wording of controls, without relaxing the requirements. When implementing the related controls, consider the following as well:

• The current wording is not explicit that privileged operations shall be logged, but the ISO 27002 suggests it. Don’t miss it, it is not just practical, but auditors will require it.
• There is no more requirement on “regular review” of logs, but on “analysis” of them. This introduces a bit more flexibility on what to do:

1. regular reviews suggest a manual activity, while log collector and/or analyzer tools are abundant
2. select carefully what events and logs should be analyzed quasi real time and what in case of an event only

• The term "protection of logs" may mean a lot of things. As a log is a kind of a record, so the record protection requirement of the standard (A5.33) may be used to interpret it.
• Be careful, as not just computers generate logs, but embedded systems (like UPS-es, entry control systems) as well.