Owner: CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC7.2 / CC7.3 (system monitoring and security-event review); ISO/IEC 27001 A.8.15 / A.8.16. Implements the Operations Security Policy.
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC7.2 / CC7.3 (system monitoring and security-event review); ISO/IEC 27001 A.8.15 / A.8.16. Implements the Operations Security Policy.
Scope
Log classes and the canonical query interface for each are listed below. Hot-tier retention is in Better Stack / CloudWatch Logs Insights; cold-tier retention is in S3 Object Lock per Logging & Monitoring → Retention.| Class | Examples | Primary review interface |
|---|---|---|
| Security & audit | Authentication, SSO, MFA, access-control changes, admin / operator activity, IAM changes, KMS key use, VPC flow, Cloudflare Gateway / Access decisions, EDR alerts, IR forensic captures | Better Stack saved searches per the Security review pack; AWS CloudWatch Logs Insights for native AWS sources |
| Database / data-access | DB audit logs, customer-data Access Transparency events, secrets-manager access | Better Stack + database-native audit consoles |
| Application | Service request logs, app-level audit events | Better Stack |
| Infrastructure & change | Terraform / CI/CD events, deploy / rollback events, infra-API mutations | Better Stack, GitHub Actions run-logs, CloudTrail |
Cadence
| Review type | Cadence | Owner |
|---|---|---|
| Automated alerting | Continuous — Better Stack and CloudWatch alarms fire to the on-call rotation per the Incident Response Policy | SRE on-call |
| Daily anomaly scan | Each business day — review automated daily-digest output for unusual patterns | SRE on-call |
| Weekly security review | Weekly — CISO (or delegate) walks the Security review pack, looks for trends not captured by alerting; independent attestation co-signed by the CEO that the review occurred | CISO + CEO (independent attestation) |
| Monthly admin-activity review | Monthly — CISO + CTO review admin / operator activity (root cloud, KMS, IAM changes, secrets access); independent attestation co-signed by the CEO that the review occurred | CISO + CTO + CEO (independent attestation) |
| Quarterly deep review | Quarterly — covered at the ISMS Management Review under the rotating control-domain deep dive when Logging & Monitoring is the quarter | CISO |
| Triggered review | At incident onset (per IR runbook) and after any control change | IR commander |
Process — weekly security review
- Pull. Open the Security review pack in Better Stack and run each saved search for the trailing 7 days.
- Look for. Authentication anomalies (failed logins, impossible-travel, MFA bypass attempts, new-device sign-ins for sensitive accounts); access-control changes (group membership changes, new admins, role escalations); KMS / secrets access patterns outside known automation; CI/CD events outside normal deploy windows; data-access volumes outside baseline; alarms that fired and auto-resolved.
- Triage. Each anomaly is one of: (a) explained — link to the ticket / change that explains it; (b) benign-but-needs-noise-reduction — add to the noise-reduction backlog; (c) potential incident — open an incident per the Incident Response Policy with severity assigned by the CISO.
- Record. Reviewer fills the weekly review note (template below) and files it as a controlled register entry (Log Reviews, one per ISO week). Anything triaged as (c) is cross-linked to its incident.
Process — monthly admin-activity review
- CISO + CTO meet for ~30 minutes.
- Walk: root-account use; IAM identity-and-access changes; KMS key creation / deletion / use; secrets-manager / Vault access; production-bastion login events; CI/CD deploys to production outside the standard window.
- For each event, confirm the actor, the authorization (ticket / change record), and the outcome.
- Anything unexpected becomes an incident or an action item recorded in the monthly review note (template below).
Process — incident-driven review
At incident onset, the IR commander pulls the relevant slice of logs into the incident workspace and preserves a snapshot per the Incident Response Policy. Cold-tier retrieval — for logs aged out of hot retention — follows the SLA in Logging & Monitoring → Cold-log retrieval SLA.Weekly review note — template
Monthly admin-activity review note — template
Independent attestation — why the CEO signs
Because the CTO and CISO are the same individual at current scale, the substantive review and the actor are the same person on a meaningful share of events. To satisfy SOC 2 CC6.6 (independent oversight of administrator and operator activity), the CEO co-signs each weekly and monthly review note as an independent attestation that the review occurred. The CEO does not perform the substantive walk; the sign-off line confirms that the review was completed in the period, that the reviewer represents no anomalies requiring CEO awareness, and that any exceptions identified have been recorded in the note. This is the role-concentration compensating control for the log-review surface.Evidence
Weekly and monthly review notes are committed to this repo under/registers/log-reviews/. The CISO sign-off (substantive) and the CEO sign-off (independent attestation) on each note are the auditor-facing evidence. Notes are retained for at least 3 years per the Records Retention Schedule. The underlying log records follow the per-class retention in Operations Security → Log retention tiers.
Escalation
Any anomaly triaged as a potential incident escalates immediately per the Incident Response Policy. A missed weekly or monthly review is itself an action item on the next ISMS Management Review.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 15, 2026 | Initial version — implements Operations Security Policy and Logging & Monitoring, SOC 2 CC7.2 / CC7.3, ISO 27001 A.8.15 / A.8.16 | Cameron Wolfe | Ishan Jadhwani |