ISO Log Retention
Just wanted to know whether there has been any log retention defined in ISO for storing system logs in terms of number of days/years. Like in PCI-DSS, there 's a requirement to store the logs for 1 year, can you please confirm if there's anything as such from ISO perspective.
Assign topic to the user
ISO 27001 does not prescribe keeping maintenance logs.
For ISO 27001, the need to keep logs is defined by the results of risk assessment and applicable legal requirements, and also by the need to prove to auditors that security processes are being performed. These are the elements that will help you define which information must be logged, as well as for how long.
These articles will provide you a further explanation about logging:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
This material will also help you regarding logging:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Aug 04, 2020