You actually review and connect log data to spot suspicious activity.
What it actually means
Collecting logs isn't enough — you have to use them. This control wants a process that brings records together (ideally a SIEM), reviews and correlates them, and surfaces suspicious activity for investigation. It's a 5-pointer because logs nobody looks at protect nobody.
Pass or fail — an assessor needs a "yes" to each
- Logs from across the scope are correlated (e.g., in a SIEM).
- There's a defined review/analysis process, not just storage.
- Suspicious activity is surfaced and investigated.
What to have ready
- SIEM correlation rules / dashboards
- Review cadence + sample investigation notes
- Roles responsible for review
Where teams trip up
- Logs collected but never reviewed
- No correlation across systems — each log read in isolation
- No process to act on what's found
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →