The Graylog blog

Using Centralized Log Management for ISO 27000 and ISO 27001

As you’re settling in with your Monday morning coffee, your email pings. The subject line reads, “Documentation Request.” With the internal sigh that only happens on a Monday morning when compliance is about to change your entire to-do list, you remember it’s that time of the year again. You need to pull together the documentation for your external auditor as part of your annual ISO 27000 and ISO 27001 audit. The good news is that centralized log management helps you meet many of the ISO 27000 and ISO 27001 requirements.

WHAT ARE ISO 27000 AND ISO 27001?

The International Organizations for Standardization (ISO)  is an internationally recognized non-profit that sets standards across technology and manufacturing. Its two primary information security standards are ISO 27000:2018 and ISO 27001:2013.

WHAT IS ISO 27000:2018?

ISO 27000 is the set of fundamental principles and objectives for your security program. These include:

  • Information security awareness
  • Responsibility assignment
  • Management commitment
  • Societal value enhancement
  • Risk assessment and risk tolerance review
  • Incorporating security as essential to networks and systems
  • Active security incident detection and prevention
  • Comprehensive approach to information security management

WHAT IS ISO 27001:2013?

ISO 27001 gives you the set of practices, including policies and procedures, for establishing an Information Security Management System (ISMS) that includes the following:

  • Establishment
  • Implementation
  • Operation
  • Monitoring
  • Review
  • Improvement


The use of the word “system” in the ISO 27001 ISMS may include having technologies, but it’s really about creating repeatable steps for:

  • Understanding risk
  • Establishing a risk tolerance
  • Setting technical controls
  • Monitoring controls’ effectiveness
  • Responding to incidents
  • Communicating across the organization

Basically, without the written policies and repeatable processes in ISO 27001, you won’t be able to prove that you’ve achieved the desired data security outcomes in ISO 27000.


Your organization might choose ISO as its compliance standard for many reasons. Often, these reasons are based on business objectives like industry or customer requirements.

On the other hand, ISO is a valuable standard to follow from an IT and security perspective. Some reasons to consider ISO compliance include:

  • Global recognition: The “I” in “ISO” is for international recognition, and it’s a standard that you can use to provide assurance across multiple geographic regions.
  • Risk-based approach: No two organizations are the same, and ISO takes a risk-based approach that allows flexibility.
  • Regulatory compliance: ISO is a standard with no fines or penalties, but many regulations follow ISO best practices.


Yes, ISO 27000-series can help you meet critical regulatory compliance standards. Is it a complete program? Not always, but it does help you set the baselines. Once you set controls for ISO 27000-series, you can map those to several different regulations.

For example, the ISO 27000-series can help you comply with:

  • General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Sarbanes-Oxley Act (SOX)


ISO compliance isn’t easy. IS0 27001 hasn’t been updated since 2013. This means that there are a lot of new technologies that you’re using that may not be specifically mentioned, like cloud-based resources.

ISO references both “audit logs.” This makes sense. After all, audit logs and event logs consist of the pieces of data that every user and technology generates when an action occurs. Log data and log files give you the real-time visibility and documentation needed to detect, investigate, and respond to a security event.

Specifically, ISO references “audit logs” in the following requirements:

  • 9.4.5 Access control to program source code subpart (f): all access to program source libraries should be tracked with an audit log
  • 12.1.2 Change management: when changes are made, an audit log containing all relevant information about changes should be retained
  • 12.4.2 Protection of log informationArchiving of audit logs is part of the retention policy or for collecting and retaining evidence
  • 12.4.4 Clock synchronisation: computer clocks need to be set to make sure audit logs for investigations or as evidence are accurate
  • 12.5.1: Installation of software on operational systems: all updates to operational program libraries should be tracked with an audit log
  • 12.6.1 Management of technical vulnerabilities: an audit log should be kept for all activities and procedures around monitoring for, identifying, and mitigating technical vulnerabilities

ISO 27001 contains 18 categories of controls with 114 controls overall. In other words, pretty often, ISO 27001 is saying, “tell me you need log management without telling me you need log management.”


A key technical control for mitigating risk is restricting user access to resources. However, you can’t do this manually with all the different connected technologies you have. This is even more difficult when you’re looking to manage privileged access, also mentioned in ISO 27001.

Centralized log management gives you a way to track and monitor user activities. This gives you the documentation needed to prove that you have the controls in place and that they’re working.


Centralized log management ISO Compliance Access Control



At first glance, this one may not seem to be related to centralized log management. However, when you stop and think about how you secure offices, rooms, and facilities, it makes more sense. You’re probably using card access instead of old-fashioned metal keys, especially for employees.

Centralized log management can help you track who physically accesses locations.

Centralized log management ISO compliance high-fidelity alerts


Under this control, you need to detect, report, investigate, and respond to threats in your environment. With complex environments, this can feel overwhelming. In fact, alert fatigue is really real. The high volumes of logs generated across on-premises, multi-cloud, and hybrid environments create too many false positives for most security teams.

On the other hand, centralized log management makes this process easier. Since a log analysis solution collects, aggregates, correlates, and analyzes all actions in the environment, you can set high-fidelity alerts.  With a logging system, you get better detection and response capabilities and forensic analysis functionality.


centralize log management event definition edit

Further, you can quickly investigate these alerts while documenting your processes.

centralized log management ISO compliance incident response


Ahh, and this is what brought you to where you are today. The information security reviews – or in normal people’s terms, “audits” – mean that managers need to review compliance within their area of responsibility.

In other words, documentation.

Centralized log management helps with this as well. With the right solution, you can create dashboards that give the information people need in the way they need it. This means using things like graphs and charts.

Even better for you? You can schedule reports and forward them to those who need the information.



Graylog for ISO Compliance

Graylog gives you the centralized log management solution that helps you get compliant – and stay that way. We make it easy to visualize and explore data so that you can meet the technical requirements of ISO 27001 for audit logging. You can flag people and/or assets based on compliance requirements to not spend as much time on reporting.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.