Are security-relevant logs centralised, retained for at least 12 months, and reviewed?
Demonstrate that security-relevant logs from all in-scope systems are forwarded to a central repository, retained for at least 12 months with integrity protections, and subjected to documented review processes that enable timely detection and investigation of security events.
Description
What this control does
This control ensures that all security-relevant logs (authentication events, access control decisions, system changes, security tool alerts, and application security events) are forwarded to a centralized logging platform, retained for a minimum of 12 months to support incident investigation and compliance requirements, and systematically reviewed for anomalies and security incidents. Centralization enables correlation across systems, retention supports forensic analysis and trend identification, and active review ensures timely detection of security events. This triad of capabilities forms the foundation of effective security monitoring and incident response.
Control objective
What auditing this proves
Demonstrate that security-relevant logs from all in-scope systems are forwarded to a central repository, retained for at least 12 months with integrity protections, and subjected to documented review processes that enable timely detection and investigation of security events.
Associated risks
Risks this control addresses
- Attackers perform lateral movement or privilege escalation that goes undetected due to insufficient log retention or absence of centralized visibility
- Security incidents cannot be fully investigated or root causes determined because relevant logs have been deleted or were never collected
- Insider threats exfiltrate data or abuse privileges over extended periods without detection due to lack of systematic log review
- Compliance violations or unauthorized system changes remain unidentified because logs from critical systems are not centrally aggregated
- Compromised credentials are used across multiple systems but correlation is impossible due to siloed logging infrastructure
- Evidence required for legal proceedings, regulatory inquiries, or breach notification is unavailable due to premature log deletion
- Advanced persistent threats maintain presence in the environment undetected because log review processes are absent or ineffective
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's logging policy and log management procedures to identify defined security-relevant log sources, centralization requirements, retention periods, and review responsibilities.
- Inventory all in-scope systems and assets (servers, network devices, cloud services, applications, security tools) and determine which generate security-relevant logs.
- Review the centralized logging platform configuration to verify that log sources from the inventory are configured to forward logs and that forwarding is active.
- Select a representative sample of systems across technology types and examine log entries in the central repository to confirm recent logs are present and parseable.
- Query the centralized logging system to verify retention settings are configured for at least 12 months and examine storage capacity reports or backup configurations supporting this retention.
- Select sample dates spanning the 12-month period and verify that logs are retrievable and complete for those dates through direct query or restore testing.
- Review documented evidence of log review activities including SIEM alert dashboards, security analyst review reports, incident tickets generated from log analysis, or scheduled review checklists for the audit period.
- Interview personnel responsible for log review to assess their understanding of review procedures, escalation paths, and the types of events they monitor, and validate their responses against documented procedures and actual evidence of reviews performed.