Owner: CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC7.2 / CC7.3 (system monitoring and security-event review); ISO/IEC 27001 A.8.15 / A.8.16. Implements the Operations Security Policy.
This procedure operationalizes the Operations Security Policy → Log retention tiers and the Logging & Monitoring engineering guide. It is the canonical operating record for SOC 2 CC7.2 / CC7.3 (system monitoring and security event review) and ISO/IEC 27001 A.8.15 / A.8.16 (logging and monitoring activities).

Scope

Log classes and the canonical query interface for each are listed below. Hot-tier retention is in Better Stack / CloudWatch Logs Insights; cold-tier retention is in S3 Object Lock per Logging & Monitoring → Retention.
ClassExamplesPrimary review interface
Security & auditAuthentication, SSO, MFA, access-control changes, admin / operator activity, IAM changes, KMS key use, VPC flow, Cloudflare Gateway / Access decisions, EDR alerts, IR forensic capturesBetter Stack saved searches per the Security review pack; AWS CloudWatch Logs Insights for native AWS sources
Database / data-accessDB audit logs, customer-data Access Transparency events, secrets-manager accessBetter Stack + database-native audit consoles
ApplicationService request logs, app-level audit eventsBetter Stack
Infrastructure & changeTerraform / CI/CD events, deploy / rollback events, infra-API mutationsBetter Stack, GitHub Actions run-logs, CloudTrail
The Security review pack is a named Better Stack workspace / saved-search collection maintained by the CISO; updates to the pack are version-controlled in the SOC 2 evidence library.

Cadence

Review typeCadenceOwner
Automated alertingContinuous — Better Stack and CloudWatch alarms fire to the on-call rotation per the Incident Response PolicySRE on-call
Daily anomaly scanEach business day — review automated daily-digest output for unusual patternsSRE on-call
Weekly security reviewWeekly — CISO (or delegate) walks the Security review pack, looks for trends not captured by alerting; independent attestation co-signed by the CEO that the review occurredCISO + CEO (independent attestation)
Monthly admin-activity reviewMonthly — CISO + CTO review admin / operator activity (root cloud, KMS, IAM changes, secrets access); independent attestation co-signed by the CEO that the review occurredCISO + CTO + CEO (independent attestation)
Quarterly deep reviewQuarterly — covered at the ISMS Management Review under the rotating control-domain deep dive when Logging & Monitoring is the quarterCISO
Triggered reviewAt incident onset (per IR runbook) and after any control changeIR commander

Process — weekly security review

  1. Pull. Open the Security review pack in Better Stack and run each saved search for the trailing 7 days.
  2. Look for. Authentication anomalies (failed logins, impossible-travel, MFA bypass attempts, new-device sign-ins for sensitive accounts); access-control changes (group membership changes, new admins, role escalations); KMS / secrets access patterns outside known automation; CI/CD events outside normal deploy windows; data-access volumes outside baseline; alarms that fired and auto-resolved.
  3. Triage. Each anomaly is one of: (a) explained — link to the ticket / change that explains it; (b) benign-but-needs-noise-reduction — add to the noise-reduction backlog; (c) potential incident — open an incident per the Incident Response Policy with severity assigned by the CISO.
  4. Record. Reviewer fills the weekly review note (template below) and files it as a controlled register entry (Log Reviews, one per ISO week). Anything triaged as (c) is cross-linked to its incident.

Process — monthly admin-activity review

  1. CISO + CTO meet for ~30 minutes.
  2. Walk: root-account use; IAM identity-and-access changes; KMS key creation / deletion / use; secrets-manager / Vault access; production-bastion login events; CI/CD deploys to production outside the standard window.
  3. For each event, confirm the actor, the authorization (ticket / change record), and the outcome.
  4. Anything unexpected becomes an incident or an action item recorded in the monthly review note (template below).

Process — incident-driven review

At incident onset, the IR commander pulls the relevant slice of logs into the incident workspace and preserves a snapshot per the Incident Response Policy. Cold-tier retrieval — for logs aged out of hot retention — follows the SLA in Logging & Monitoring → Cold-log retrieval SLA.

Weekly review note — template

# Log review — week of <YYYY-MM-DD>

**Reviewer:** <name>
**Date completed:** <YYYY-MM-DD>
**Coverage:** trailing 7 days; Security review pack version <X>

## Anomalies surfaced
| Source | Description | Triage | Linked ticket / incident |
|---|---|---|---|

## Sign-off
| Name | Role | Date |
|---|---|---|
| | CISO (substantive review) | |
| | CEO (independent attestation — confirms review occurred) | |

Monthly admin-activity review note — template

# Admin-activity review — <YYYY-MM>

**Reviewers:** <CISO name>, <CTO name>
**Date completed:** <YYYY-MM-DD>

## Walked
- [ ] Root-account use
- [ ] IAM changes
- [ ] KMS key changes / use
- [ ] Vault / secrets access outside automation
- [ ] Production-bastion logins
- [ ] Off-hours CI/CD production deploys

## Findings
| Source | Event | Authorization | Outcome |
|---|---|---|---|

## Sign-off
| Name | Role | Date |
|---|---|---|
| | CISO (substantive review) | |
| | CTO (substantive review) | |
| | CEO (independent attestation — confirms review occurred) | |

Independent attestation — why the CEO signs

Because the CTO and CISO are the same individual at current scale, the substantive review and the actor are the same person on a meaningful share of events. To satisfy SOC 2 CC6.6 (independent oversight of administrator and operator activity), the CEO co-signs each weekly and monthly review note as an independent attestation that the review occurred. The CEO does not perform the substantive walk; the sign-off line confirms that the review was completed in the period, that the reviewer represents no anomalies requiring CEO awareness, and that any exceptions identified have been recorded in the note. This is the role-concentration compensating control for the log-review surface.

Evidence

Weekly and monthly review notes are committed to this repo under /registers/log-reviews/. The CISO sign-off (substantive) and the CEO sign-off (independent attestation) on each note are the auditor-facing evidence. Notes are retained for at least 3 years per the Records Retention Schedule. The underlying log records follow the per-class retention in Operations Security → Log retention tiers.

Escalation

Any anomaly triaged as a potential incident escalates immediately per the Incident Response Policy. A missed weekly or monthly review is itself an action item on the next ISMS Management Review.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 15, 2026Initial version — implements Operations Security Policy and Logging & Monitoring, SOC 2 CC7.2 / CC7.3, ISO 27001 A.8.15 / A.8.16Cameron WolfeIshan Jadhwani