ISO 27002 and application of control A.9.4.4

Answer: According ISO 27002, one of the recommendations for control 9.4.4 (Use of privileged utility programs) is the logging of all use of utility programs, and there is no recommendation for only logging log in and log out activities in that control (such recommendation belongs to control A.12.4.1 - Event logging).

Regarding orientations to the auditee, this will depend on how are you using the ISO 27001 and ISO 27002 standards. ISO 27001 covers requirements for information security management systems, one of them the performing of risk assessments. ISO 27002 cover recommendations for the implementation of controls defined in ISO 27001 Annex A. So, if you want to fo llow ISO 27002 completely then you would need to log the activities. However, if you follow ISO 27001 then you need to check the results of risk assessment, and based on those results decide whether logging the activities is necessary or not.

Additionally, you can point to the auditee that his interpretation about what should be logged refers to another control, and that during a periodic review, or in case of an incident, the recommendations of control A.9.4.4 can be more helpful, because with information about which activities were performed it will be easier is to discover unauthorized use or what happened in case of an incident, reducing response time to take proper corrective and recovery measures.

These articles will provide you further explanation about logging and monitoring:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/

These materials will also help you regarding logging and monitoring:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thanks a lot. Your response has been very helpful.