Regarding ISO 27002 and aplication of control A.9.4.4, in my opinion the control wants to have control over activity of SysAdmins when they use priviledged applications or tools. The auditee thinks that is enought with the Knoledge of the users who log in and log out. I think I am right, but I want others opinions in order to open the auditee's mind. What is your opinion ??
Answer: According ISO 27002, one of the recommendations for control 9.4.4 (Use of privileged utility programs) is the logging of all use of utility programs, and there is no recommendation for only logging log in and log out activities in that control (such recommendation belongs to control A.12.4.1 - Event logging).
Regarding orientations to the auditee, this will depend on how are you using the ISO 27001 and ISO 27002 standards. ISO 27001 covers requirements for information security management systems, one of them the performing of risk assessments. ISO 27002 cover recommendations for the implementation of controls defined in ISO 27001 Annex A. So, if you want to fo llow ISO 27002 completely then you would need to log the activities. However, if you follow ISO 27001 then you need to check the results of risk assessment, and based on those results decide whether logging the activities is necessary or not.
Additionally, you can point to the auditee that his interpretation about what should be logged refers to another control, and that during a periodic review, or in case of an incident, the recommendations of control A.9.4.4 can be more helpful, because with information about which activities were performed it will be easier is to discover unauthorized use or what happened in case of an incident, reducing response time to take proper corrective and recovery measures.