We have SIEM is not an audit argument. Certification bodies ask: which sources, how long retained, who monitors, which alerts are followed up and how that links to incidents.
Minimum set for ISO 27001
- authentication (IdP, VPN, admin);
- authorisation changes and privileged access;
- critical systems and network (firewall, WAF, cloud audit logs);
- backup/restore and change management where relevant.
Retention and review
Define retention and show logs are retrievable for sample periods. Quarterly review of alert rules. Deep dive: logging/monitoring and evidence pages.
Auditors in 2026 sample privileged access logs: who changed admin rights, was it approved via change process and how fast was anomalous behaviour alerted? Without that chain logging looks decorative.
SIEM outside the EU for aggregation touches data sovereignty and GDPR — document region, subprocessors and encryption in vendor register and SoA. Enterprise customers and supervisors ask explicitly.
False positives and alert fatigue are audit themes: show quarterly rule review and that critical alerts have documented response — who is on-call and within which SLA tickets open.
From log source to audit sample
Start with an overview of log sources per system: which source delivers which event, who maintains the connector and what is the fallback if the source fails? Auditors pick one critical system and follow the chain from source to SIEM or central storage. Gaps in that chain cause findings more often than a small licence.
Record in the control plan who is responsible for monitoring outside office hours. On-call without documented SLA is often insufficient at surveillance. Link alert handling to tickets so you can show in the sample period: alert → ticket → action → closure.
Cloud audit logs (Microsoft 365, AWS, Azure) belong in the same retention and review cycle as on-prem firewalls. Many organisations forget SaaS sources in the SoA — while most identity and data access happens there.
Test annually whether you can export logs within the time your incident process requires. A logging restore drill is as useful as a backup restore drill.
For surveillance, prepare a sample pack: one week of logs per source with explanation of who was on-call. Auditors value preparation over perfect tooling. Also document logs you deliberately do not centralise — with risk rationale in the SoA.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.