The organisation should establish and maintain structured security logging practices to support the timely detection, investigation, and analysis of cybersecurity incidents, technical faults, and security weaknesses.
Internal rules shall define:
- The categories of security-relevant events to be recorded and the circumstances under which logging is activated.
- The mandatory information elements of each log entry, including identification of the actor or system involved, a description of the activity, the affected assets or data, and precise time information.
- Uniform formatting and technical standards to ensure logs from different systems can be correlated and compared.
- Technical and organisational safeguards to protect logs against unauthorized access, modification, deletion, or physical damage.
- The storage location, retention period, and mechanisms ensuring logs remain accessible for analysis throughout their lifecycle.
- The process, frequency, and responsible roles for reviewing and analysing log data.
Logging and log management processes should be subject to periodic review. A record of each review should be maintained.
.svg)
