A.8.15 / A.8.16 — Is logging comprehensive and are activities monitored centrally with detection content? (A.8.16 NEW)
Demonstrate that the organization has implemented comprehensive logging across all critical systems with centralized aggregation, correlation, and active monitoring using threat detection content that generates actionable alerts.
Description
What this control does
This control ensures that security-relevant events across information systems, networks, applications, and infrastructure are logged comprehensively, and that logs are centralized for correlation, analysis, and real-time monitoring using detection content (rules, signatures, behavioral analytics). Logging must capture sufficient detail to reconstruct security incidents, while centralized monitoring enables automated alerting on indicators of compromise, policy violations, and anomalous behavior. Effective implementation requires both technical logging capabilities and operational processes to review, tune, and respond to alerts.
Control objective
What auditing this proves
Demonstrate that the organization has implemented comprehensive logging across all critical systems with centralized aggregation, correlation, and active monitoring using threat detection content that generates actionable alerts.
Associated risks
Risks this control addresses
- Undetected malicious activity such as lateral movement, privilege escalation, or data exfiltration due to incomplete or absent logging
- Inability to perform forensic investigation or root cause analysis following a security incident due to insufficient log retention or detail
- Delayed detection of compromised accounts, malware infections, or insider threats resulting in prolonged attacker dwell time
- Failure to meet regulatory compliance requirements for audit trails and security monitoring leading to enforcement actions or fines
- Missed correlation of related security events across siloed systems preventing detection of multi-stage attacks
- Alert fatigue and unmonitored logs causing critical security events to be ignored or overlooked by operations teams
- Tampering with or deletion of local logs by attackers covering their tracks without centralized backup copies
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's logging policy and procedures including the defined list of security-relevant event types and systems in scope for centralized monitoring
- Retrieve the inventory of systems, applications, network devices, and security tools configured to send logs to the central logging platform
- Examine the architecture diagram and configuration of the Security Information and Event Management (SIEM) or centralized logging solution including log sources, retention periods, and storage locations
- Select a representative sample of 10-15 critical systems across different types (servers, firewalls, cloud services, databases, endpoint detection tools) and verify logs are actively flowing to the central platform
- Review the detection content library including correlation rules, threat signatures, use cases, and detection logic deployed in the monitoring system with timestamps of last updates
- Request evidence of alert generation by examining recent security alerts, incident tickets, or monitoring dashboards showing triggered detections over the past 30 days
- Test detection effectiveness by selecting three critical use cases (failed authentication attempts, privileged account usage, external data transfers) and verifying corresponding log entries are captured with sufficient detail and generate alerts when thresholds are exceeded
- Interview security operations personnel to confirm monitoring processes, alert triage procedures, escalation workflows, and review evidence of actual alert response activities