Why logging is your detection backbone
You cannot detect, investigate or prove an incident without logs. A logging and monitoring policy defines what events are recorded, how logs are protected and retained, and how anomalies are detected and escalated — the foundation of the NIST CSF Detect function.
What to include
- Scope — which systems, applications and security events are logged (authentication, access changes, admin actions, failures).
- What to capture — enough context to investigate (who, what, when, where), without logging secrets or excessive personal data.
- Centralisation — ship logs to a central, tamper-resistant store.
- Retention — how long logs are kept, balancing investigation needs, cost and GDPR data-minimisation.
- Protection — access controls and integrity of the logs themselves.
- Monitoring and alerting — what triggers an alert and who responds.
- Time synchronisation — synced clocks so events correlate across systems.
Common mistakes
- Logging everything and keeping nothing usable (no central store, no alerting).
- Logging secrets or excessive personal data, creating a new risk.
- Unsynchronised clocks, making correlation impossible.
Framework alignment
Maps to ISO 27001:2022 Annex A 8.15–8.17 (logging, monitoring, clock synchronisation), the SOC 2 criteria, and NIST CSF Detect (DE.CM).
Generate it in minutes
See a sample logging & monitoring policy or generate yours free.