Activity logging (user, exceptions, faults, errors and information security events) should be continually maintained and reviewed.
The standard has a long list of items for consideration, but start from everything and work backwards! Probably the most important are date and time of access and location of user since it is most likely to throw up exceptional activity during a review.
Event logs should have the appropriate level of protection to prevent loss, corruption or unauthorised changes. Where possible system admin should not have permission to erase or deactivate the logging of their own activities. Intrusion detection managed outside the remit of network administrators could cover this for compliance functions – where appropriate.
Care should be exercised to ensure sufficient capability to store log information – equally given the size of these logs consideration should be given to rationalise this data so it can be reviewed without disrupting ongoing collection. Appropriate safeguards should be applied.
All processing systems should be synchronised for event logging purposes. Requirements and how to ensure they are met should be documented.
Return to the main ISO 27002 page here: https://activaconsulting.co.uk/iso-27002-controls/