Every logged action can be tied back to a specific person.
What it actually means
Logging events is only useful if you can tell who did what. Because every user has a unique account (see 3.5.1) and you're not using shared logins, your audit records carry an individual identity — so an action can be traced to one person, not 'someone on the shared admin account.'
Pass or fail — an assessor needs a "yes" to each
- Logs capture a unique user identity for actions.
- No shared/generic accounts that break attribution.
- You can answer 'who did this?' from the logs.
What to have ready
- Sample audit records showing per-user attribution
- Confirmation that shared accounts are eliminated
Where teams trip up
- Shared admin accounts that make 'who' unanswerable
- Service accounts used interactively by multiple people
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →