8 min read

ISO 27001 Audit Logging Requirements

BEMO on Jun 3, 2026 11:00:00 AM

ISO-27001

Quick Answer: ISO 27001 audit logging requirements are defined primarily under Annex A Control 8.15 (Logs) and related controls in the ISO/IEC 27001:2022 standard. You must collect, protect, and retain logs of user activity, system events, and security incidents to demonstrate that your information security controls are operating as intended.

ISO/IEC 27001 audit logging requirements cover what events you must record, how long you must retain those records, who can access them, and how you protect logs from tampering.

The 2022 revision of the standard consolidated and strengthened these requirements under Annex A, making log management one of the more technically demanding areas of certification. Getting it right requires the right tooling, defined policies, and ongoing monitoring, not a one-time configuration.

This page breaks down exactly what the standard requires, where organizations typically struggle, and what your options are for meeting these requirements without building an entire compliance function from scratch.

Key Takeaways

ISO/IEC 27001 audit logging requirements are primarily governed by Annex A Control 8.15, which mandates that you produce, protect, and review logs of user activity, exceptions, faults, and security events.
Log management is one of the most technically intensive areas of ISO 27001 because it requires both the right tooling and continuous operational discipline.
Most organizations take 6 to 18 months to achieve ISO 27001 certification, with log infrastructure typically requiring early setup to support the observation period.
Building an in-house compliance and security logging function costs $84,000 to $132,000 or more per year for a single hire, before accounting for tooling and auditor fees.
A managed compliance partner handles log configuration, monitoring, and audit evidence collection on your behalf, starting at approximately $4,800 per month.

What Are ISO 27001 Audit Logging Requirements?

ISO/IEC 27001:2022 addresses audit logging across several interconnected Annex A controls. The core requirement lives in Control 8.15, but you cannot treat it in isolation. Several adjacent controls shape what your logging program must look like in practice.

Control	Title	What It Requires
8.15	Logging	Produce and retain logs of user activity, exceptions, faults, and security events
8.16	Monitoring Activities	Monitor systems and networks and review logs for anomalous behavior
8.17	Clock Synchronization	Synchronize clocks across all systems to ensure log timestamps are accurate and consistent
5.33	Protection of Records	Protect logs from unauthorized access, modification, and deletion
8.12	Data Leakage Prevention	Monitor for unauthorized data exfiltration, which depends on log capture
5.28	Collection of Evidence	Retain logs in a format that supports forensic investigation and audit evidence

The standard does not prescribe a specific retention period, but your risk assessment and any applicable legal or contractual requirements must inform how long you keep logs. Many organizations set a minimum of 90 days of immediately accessible logs with 12 months of archival storage.

Under Control 8.15, the types of events you must log include user logins and logouts, privilege escalations, access to sensitive systems or data, configuration changes, failed authentication attempts, and system errors or faults. Your logging policy must document which systems are in scope, what events are captured, and who is responsible for reviewing them.

Control 8.17 is frequently overlooked. If your log timestamps are inconsistent across systems, your audit trail becomes unreliable. Auditors will check this. Clock synchronization via NTP (Network Time Protocol) must be configured and verified across your entire environment.

Protecting log integrity under Control 5.33 means logs must be stored in a location where the users being monitored cannot alter or delete them. Write-once storage or a centralized SIEM with role-based access controls satisfies this requirement in most cases.

For a broader view of what ISO 27001 certification involves, the ISO 27001 certification guide covers the full scope of the standard.

Challenges Companies Face When Getting ISO 27001 Compliant

Meeting ISO 27001 audit trail logging requirements sounds straightforward on paper. In practice, most organizations hit several of the same walls.

Underestimating scope: Log requirements touch every system in your environment. Servers, endpoints, cloud platforms, SaaS applications, and network devices all need to be captured and centralized, and many organizations only realize this partway through implementation.

No internal expertise: Configuring a SIEM, setting retention policies, and writing a logging and monitoring policy that satisfies an auditor requires skills that span IT, security engineering, and compliance. Most small and mid-sized businesses do not have all three in-house.

Ongoing burden: Logging is not a set-and-forget control. You need regular log reviews, alert triage, and documented evidence that someone is actually acting on what the logs show. That operational discipline is hard to maintain without dedicated staff.

Auditor back-and-forth: Auditors will ask for evidence that your logs are complete, tamper-protected, and reviewed. If your documentation does not match your actual configuration, remediation cycles add months to your timeline.

Tool sprawl: Many organizations end up with logs scattered across multiple platforms with no centralized view. Choosing, configuring, and integrating the right SIEM and GRC tools is a significant project on its own.

Employee resistance: Enforcing logging on personal devices, restricting log access to privileged users, and requiring documented review procedures creates friction that slows implementation.

What Does It Take to Meet ISO 27001 Audit Trail Logging Requirements?

Meeting the iso 27001 logging requirements audit trail controls requires work across four distinct areas. Each one has its own complexity, and gaps in any one area will surface during your certification audit.

Documentation and Policy Development

You need a formal logging and monitoring policy that defines what events are captured, which systems are in scope, retention periods, review responsibilities, and escalation procedures. This policy must be approved by management and reviewed at least annually. Auditors will check for version control and evidence of review. Most organizations also need a supporting procedure document that maps the policy to specific technical configurations.

Technical Controls and Tooling

Your logging infrastructure must centralize events from all in-scope systems into a tamper-protected repository. A SIEM (Security Information and Event Management) platform is the standard approach. Microsoft Sentinel, for example, ingests logs from M365, Entra ID, Intune, Defender, and third-party sources, and applies detection rules that flag anomalous activity. Clock synchronization must be enforced across all systems, and log storage must be configured with access controls that prevent modification or deletion by standard users.

Ongoing Monitoring and Maintenance

Collecting logs is only half the requirement. Control 8.16 requires that you actually monitor them. This means regular log reviews, documented alert triage, and a process for escalating potential security incidents. If your logs sit in a SIEM with no one reviewing them, you will fail this control. You need either dedicated staff or a managed SOC to satisfy the monitoring requirement continuously.

Auditor Coordination and Evidence Collection

When your certification audit arrives, you need to produce evidence that your logging controls have been operating consistently, not just that they exist. That means documented log review records, alert response tickets, and configuration screenshots showing retention settings and access controls. Pulling this evidence together under audit pressure is one of the most common causes of timeline delays.

In-House vs Managed: Approaches to ISO 27001 Compliance

There is no single right way to meet ISO 27001 logging audit trail requirements. The right approach depends on your internal capacity, budget, and timeline. Here is an objective breakdown of what each path actually involves.

	DIY / In-House	GRC Platform Only (Drata, Vanta)	Managed Compliance Partner
Implementation	Your team builds it	Platform guides you, you do the work	Partner builds it for you
Ongoing maintenance	Your team	Your team + automation	Partner's team + automation
Auditor coordination	You manage it	Limited support	Managed end-to-end
Tech stack	You select and configure	Integrations only	Full security stack deployed
Dedicated team	Your hires ($84K-$132K+ per person)	None	Multi-role team assigned to your account
Typical timeline	12-18+ months	6-12 months	~8 months initial implementation
Starting cost	$84K-$132K+/year (one hire)	$10K-$30K/year (platform only)	~$4,800/month (full service)

The DIY path gives you the most control but requires hiring staff with SIEM administration, compliance documentation, and audit coordination skills. A GRC platform like Drata or Vanta automates evidence collection and control tracking, but you still need someone to configure the integrations, write the policies, and manage the audit relationship. A managed compliance partner handles all of it, which is why the timeline is typically shorter despite the higher monthly cost compared to a platform-only subscription.

If you are weighing these options, the article on how to choose a compliance provider walks through the decision in more detail.

Getting Started With ISO 27001 Compliance

If you are starting from zero or trying to close gaps before an audit, here is a practical four-step path forward.

1. Book a GAP Assessment: A GAP assessment evaluates your current logging configuration, policies, and monitoring practices against ISO 27001 audit trail requirements and identifies exactly where you fall short. This gives you a clear picture of scope before you commit resources.

2. Get Your Implementation Roadmap: Based on the GAP assessment, you receive a prioritized plan covering which systems need logging enabled, what SIEM configuration is required, which policies need to be written, and what your realistic timeline to certification looks like.

3. Deploy Controls: This is where the technical work happens. SIEM configuration, clock synchronization, log retention policies, access controls, and GRC automation are all deployed and documented. Policies are written, reviewed, and approved.

4. Achieve and Maintain Compliance: Your auditor coordination begins, evidence is collected, and your certification audit is scheduled. After certification, ongoing log monitoring, quarterly reviews, and annual surveillance audits keep you compliant year over year.

Why Choose BEMO for ISO 27001 Compliance

The challenges covered above are exactly where organizations without dedicated compliance staff tend to stall. BEMO is built to handle those gaps directly.

BEMO is ISO 27001 certified themselves, which means the team managing your compliance program has gone through the same process you are facing. That practical experience shapes how they approach log configuration, policy development, and auditor coordination.

Here is what working with BEMO looks like in practice:

Dedicated team assigned to your account: Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and a virtual CISO.
Microsoft-native security stack: Logging and monitoring are built on Microsoft Sentinel, M365, Entra ID, Intune, and Defender, with centralized SIEM coverage across your environment.
GRC automation with hands-on management: BEMO uses the Drata platform for compliance tracking, with dedicated engineers who configure and manage it rather than handing it off to you.
24/7 SOC coverage: AI reviews 100,000+ monthly logs, with approximately 100 per month human-verified by SOC analysts. This satisfies the ongoing monitoring requirement under Control 8.16.
Full auditor coordination: BEMO works directly with auditor partners including Sensiba, A-LIGN, and the Johanson Group, managing the evidence collection and remediation process on your behalf.
8-month implementation timeline with bi-weekly status meetings and a 72-hour SLA on remediation items.
Cost advantage: Starting at approximately $4,800 per month versus $84,000 to $132,000 or more per year for a single in-house compliance hire, before accounting for tooling and audit fees.

BEMO is a 2023 Microsoft US Partner of the Year winner, has appeared on the Inc. 5000 list four consecutive years, and was featured by Satya Nadella at the Microsoft Secure 2024 Summit.

You can learn more about BEMO's ISO 27001 compliance service to see how the program is structured.

Ready to Meet ISO 27001 Audit Logging Requirements?

BEMO handles the full implementation, from SIEM configuration and policy development to auditor coordination and ongoing log monitoring, so you do not have to build that capability in-house.

Book a meeting with BEMO to get started with a GAP assessment.

Frequently Asked Questions About ISO 27001 Audit Logging Requirements

What events must be logged under ISO/IEC 27001 audit logging requirements?

Under Control 8.15, you must log user authentication events (logins, logouts, and failures), privilege escalations, access to sensitive systems and data, configuration changes, system errors, and security exceptions. The exact event types depend on your scope and risk assessment, but your logging policy must document which events are captured and why. Auditors will verify that your actual log configuration matches your policy.

What are the ISO 27001 audit trail requirements for log retention?

The standard does not specify a fixed retention period, but your risk assessment and any legal or contractual obligations must drive your retention policy. A common approach is 90 days of immediately accessible logs with 12 months of archival storage. Whatever period you choose, it must be documented, justified, and consistently enforced across all in-scope systems.

How do ISO 27001 logging audit trail requirements differ in the 2022 revision?

The 2022 update to ISO/IEC 27001 reorganized Annex A from 114 controls across 14 domains to 93 controls across four themes. Logging requirements were consolidated and strengthened, with Control 8.15 (Logs), 8.16 (Monitoring Activities), and 8.17 (Clock Synchronization) working together as a connected set. Organizations certified under the 2013 version had until October 2025 to transition to the 2022 standard.

How long does it take to get ISO 27001 certified?

Certification typically takes 6 to 18 months depending on your organization's size, existing security posture, and scope. With a managed compliance partner, the initial implementation timeline is typically around 8 months. Log infrastructure needs to be in place early in the process because auditors will look for evidence of consistent monitoring over time, not just a snapshot at the audit date.

What does an ISO 27001 GAP assessment include for logging?

A GAP assessment for ISO 27001 audit trail logging requirements reviews your current log sources, SIEM configuration, retention settings, access controls, clock synchronization, and existing logging policies. It identifies which systems are not covered, where your documentation falls short, and what technical changes are needed before you can pass a certification audit. The output is a prioritized remediation list tied to specific Annex A controls.

Why should you use a managed compliance partner for ISO 27001 logging requirements?

Meeting iso 27001 audit logging requirements on your own requires SIEM expertise, compliance documentation skills, ongoing SOC coverage, and auditor coordination. Most small and mid-sized businesses do not have all of those capabilities in-house. A managed partner brings the full team, the tooling, and the audit relationships under one engagement, which reduces both the time to certification and the risk of gaps surfacing during the audit itself.

What team does BEMO assign for ISO 27001 compliance?

BEMO assigns a dedicated multi-role team to each client account. That team includes a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and a virtual CISO. Each role has a defined responsibility in the implementation and ongoing compliance process, so you are not relying on a single point of contact or a self-service platform to manage something as complex as ISO 27001 log management.