ISO 27001 does not hand you a logging checklist with fixed numbers — it requires logging, monitoring and accurate time as risk-based controls in your information security management system (ISMS). This guide explains the relevant 2022 Annex A controls (A.8.15, A.8.16, A.8.17), what an auditor expects, and how long to keep logs.
Not legal advice
This is general guidance to help you scope logging for ISO 27001. The binding requirements are the standard itself and your certification body's interpretation; treat your Statement of Applicability and risk assessment as the source of truth.
ISO 27001 and logging
ISO/IEC 27001 is the international standard for an information security management system. The 2022 revision organises its Annex A into 93 controls across four themes; logging and monitoring sit in the Technological controls (the A.8 group). Rather than prescribe retention periods, ISO 27001 requires you to decide what to log and how long to keep it based on your risk assessment — and to actually use the logs.
The three relevant controls
| Control | Name | What it requires |
|---|---|---|
| A.8.15 | Logging | Produce, store, protect and analyse logs of relevant events — at minimum user activities such as logins, logouts and failed authentication. |
| A.8.16 | Monitoring activities | Monitor networks, systems and applications for anomalous behaviour and to detect potential incidents. |
| A.8.17 | Clock synchronisation | Synchronise the clocks of all relevant systems to an approved time source (typically NTP) so timestamps are accurate and correlatable. |
The three work together: A.8.15 produces the records, A.8.16 makes sure someone (or something) watches them, and A.8.17 keeps timestamps accurate so events from different systems can be correlated during an investigation.
What to log for A.8.15
- Authentication events — logins, logouts, and failed attempts.
- Privileged and administrative activity — account and permission changes, admin actions.
- System and security events — errors, security tool alerts, configuration changes.
- Access to sensitive data and systems — who accessed what, and when.
Logs must be protected against tampering and unauthorised access — an attacker who can edit logs can erase their tracks — and they must be analysed, not just collected.
How long to keep logs for ISO 27001
ISO 27001 sets no fixed retention period. You determine it from your risk assessment, legal and contractual obligations, and the need to investigate incidents. A commonly used baseline is at least 12 months of logs, but the right answer is whatever your ISMS documents and justifies. Where other regimes also apply, take the strictest — see log retention requirements by regulation.
What an auditor looks for
- Evidence that relevant events are logged centrally and protected.
- Evidence of active monitoring and review (not just storage).
- NTP configuration on a sample of systems and clock-drift monitoring (A.8.17).
- A documented, risk-justified retention period in your ISMS.
How LogPulse supports ISO 27001 logging
LogPulse centralises and protects logs, monitors them in real time with anomaly detection and a risk-based SIEM, and maps detections to ISO 27001 (alongside NIS2 and DORA) controls for audit evidence. Accurate, synchronised timestamps are preserved on ingest, supporting A.8.17 correlation. LogPulse supports your ISO 27001 programme and produces evidence; it is not itself a certification. See also NIS2 and DORA logging.