How do you implement A.8.15 in Microsoft 365?

A.8.15 Logging can be implemented in Microsoft 365 using Microsoft Purview compliance portal > Audit; Microsoft Entra admin center > Monitoring > Sign-in logs; Microsoft Defender for Cloud Apps portal. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.8.15?

Auditors verify that A.8.15 Logging is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.8.15: Logging — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.8.15 Logging records security events and generates evidence for investigations by establishing a centralised, unified logging solution that collects, protects, and analyses log data from all critical assets across the hybrid cloud. The control replaces fragmented, unprotected, locally-stored logs with secure, cloud-native SIEM infrastructure. All logs are streamed to a central, write-protected Log Analytics Workspace for minimum 12-month retention.

How to implement in Microsoft 365

Implement A.8.15 by establishing a central Log Analytics Workspace as single source of truth for all log data. Configure Data Connectors in Microsoft Sentinel to ingest Identity logs from Microsoft Entra sign-in and audit logs including PIM activations, Platform logs from Microsoft Purview Unified Audit Log, Endpoint logs from Microsoft Defender for Endpoint, Infrastructure logs from Microsoft Defender for Cloud, and Network logs from Microsoft Defender for Cloud Apps. Stream all logs to Log Analytics Workspace with diagnostic settings configured.

Configure Azure RBAC on Log Analytics Workspace to restrict access to Security Operations team only. Configure minimum 12-month retention.

What an auditor looks for

Auditors will verify Unified Audit Log is accessible via API with event categories covering all M365 workloads. They will check sign-in logs are available and accessible requiring Entra ID Premium P1 or P2. Auditors will verify directory audit events are actively being logged and accessible.

They will check Log Analytics Workspace is configured with 12-month retention. Auditors will verify Azure RBAC is configured on Log Analytics Workspace to restrict access. They will check diagnostic settings are configured for log export to central workspace.

M365 capabilities that implement this control

CIS Microsoft 365 Foundations benchmark settings for Exchange Online

Microsoft Purview Advanced Audit with extended retention

AI agent action audit logging, Copilot usage monitoring, shadow AI detection via Entra Internet Access and Sentinel