ISO 27001 Logging Requirements for SaaS Companies

What Does ISO 27001 Require for Logging?

ISO 27001:2022 addresses logging requirements primarily through Annex A controls in the A.8 (Technology) category. The key control is A.8.15 — Logging, which states: "Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed." This single control encompasses event logging, log protection, and administrator monitoring — areas that were split across A.12.4.1 through A.12.4.3 in the 2013 version.

Additionally, A.8.17 — Clock synchronization requires that all relevant system clocks be synchronized to an approved time source. For SaaS companies handling customer data, both controls are almost always in scope per the Statement of Applicability.

What Events Must Be Logged Under A.8.15?

The standard specifies that logs should capture user activities, exceptions, faults, and information security events. For SaaS applications, this translates to:

• User activities — authentication (login/logout, MFA), authorization decisions, data access (reads of sensitive resources), data modification (creates, updates, deletes), configuration changes
• Exceptions — access denials, failed authentication attempts, policy violations, rate limit triggers, input validation failures
• Faults — system errors, service failures, database connection issues, integration timeouts, queue processing failures
• Security events — firewall alerts, intrusion detection triggers, certificate warnings, unusual access patterns, bulk data exports

Each log entry should contain enough context for investigation: event type, timestamp (UTC), user or system identity, source (IP address, device), affected resource, and outcome (success or failure). AuditKit's structured schema — actor, action, target, timestamp, metadata — maps directly to these requirements.

How Must Logs Be Protected Against Tampering?

A.8.15 requires protection against both unauthorized access and tampering. This is a distinct requirement because access controls alone are insufficient — a privileged insider or compromised service account with database access can modify records even with proper access controls in place.

ISO 27001 auditors evaluate three protection layers:

• Access control — logs should be readable only by authorized personnel. Regular application users should access audit data through a scoped viewer, not direct database access. Implement role-based access with the principle of least privilege.
• Integrity protection — logs must be protected against modification. Hash chaining (where each event's hash depends on the previous event) provides cryptographic tamper-evidence. If any record is altered, the chain breaks and verification fails immediately.
• Deletion protection — logs must be protected against premature deletion. Revoke DELETE permissions at the database level, remove delete endpoints from the API, and implement retention enforcement that blocks manual deletion within the retention window.

AuditKit addresses all three: tenant-scoped access control, SHA-256 hash chaining for tamper-evidence, and retention policies that prevent deletion within configured windows.

Why Does ISO 27001 Single Out Administrator Activity Logging?

A.8.15 specifically requires that system administrator and operator activities be logged and regularly reviewed. This reflects a fundamental principle: privileged users pose the highest insider threat risk because they can bypass normal controls.

For SaaS companies, "administrators" includes DevOps engineers with production database access, support agents with customer data access, system administrators managing infrastructure, and automated service accounts with elevated privileges. Your audit trail must capture these privileged actions separately and generate regular review reports.

Auditors ask for evidence of review: who reviewed admin logs, when, and what was the outcome? A common implementation: weekly automated report of admin actions flagging anomalies, reviewed by the security team with documented sign-off. AuditKit supports this through filtered exports and anomaly detection that can be configured to flag administrative actions for review.

How Does Clock Synchronization (A.8.17) Affect Audit Logs?

Clock synchronization seems trivial but has real implications for audit log integrity. If system clocks are out of sync, the chronological order of events becomes unreliable. An action logged at 14:00:00 on one system may have actually occurred after an action logged at 14:00:01 on another system. This makes cross-service incident investigation unreliable and can undermine the evidentiary value of your audit trail.

For cloud-hosted SaaS, this is largely handled by your cloud provider — AWS, GCP, and Azure all synchronize VM clocks to authoritative NTP sources. However, verify that your application servers, database servers, and any on-premise components all use the same time source. AuditKit timestamps events server-side using UTC, ensuring consistency regardless of client timezone or clock state.

How Long Should You Retain Logs for ISO 27001?

ISO 27001 does not specify a minimum retention period. A.8.15 requires retention "for an agreed period to assist in future investigations." Your ISMS policy defines the specific period, and auditors verify you follow it.

Common retention periods for ISO 27001-certified SaaS:

Context	Typical Retention	Rationale
Standard SaaS	12 months	Minimum for incident investigation and trend analysis
Also pursuing SOC 2	15-24 months	Covers SOC 2 observation window plus buffer
Regulated industry	36-84 months	Sector-specific requirements (HIPAA, PCI DSS, SOX) layered on ISO 27001

The key: whatever period you define in your ISMS, enforce it consistently. Both under-retention (logs missing from the stated period) and over-retention (keeping data beyond the stated period without justification) can be audit findings.

ISO 27001 Audit Logging Checklist for SaaS

• Log all user activities, exceptions, faults, and security events per A.8.15
• Include actor identity, timestamp (UTC), source, affected resource, and outcome in each event
• Protect logs against unauthorized access with role-based controls
• Implement tamper-evidence (hash chaining) to detect log modification
• Prevent premature log deletion within the retention window
• Separately log and regularly review administrator and operator activities
• Synchronize all system clocks to an authoritative NTP source per A.8.17
• Define and enforce a log retention period in your ISMS policy
• Implement automated alerting for anomalous events and admin activities
• Document your logging architecture in your ISMS documentation
• Conduct periodic reviews of log coverage to identify gaps
• Ensure log backup and disaster recovery capabilities

Key Takeaways

• ISO 27001 A.8.15 requires logging user activities, exceptions, faults, and security events — plus protecting those logs against tampering and unauthorized access.
• Administrator activities must be separately logged and regularly reviewed with documented sign-off.
• Hash chaining provides the tamper-evidence guarantee that log protection requires.
• Clock synchronization (A.8.17) is essential for event correlation and investigation reliability.
• Define your retention period in your ISMS policy and enforce it — both under-retention and over-retention are findings.
• For SaaS companies, all four logging controls are almost always in scope per the Statement of Applicability.