GRCWatch
Sign inStart free trial

CIS Control 8.10: Retain Audit Logs Across Enterprise Assets

Audit logs are your organization's digital record of every critical event—from user access to system changes. CIS Control 8.10 requires maintaining these logs for a minimum of 90 days, creating a forensic trail essential for threat detection, incident response, and regulatory compliance. Without proper retention, you lose visibility into what happened when a breach occurs.

What this means

This control mandates that your organization capture and preserve audit logs from all enterprise assets (servers, workstations, network devices, applications) for at least 90 consecutive days. These logs must be protected from tampering, remain searchable and accessible for investigation, and cover user actions, system events, and security-relevant activities. The 90-day minimum ensures you can investigate incidents that may not be discovered immediately while balancing storage costs and operational feasibility.

How to comply

  1. 1.Identify all systems and assets that generate audit logs (servers, databases, firewalls, Active Directory, cloud services, endpoints)
  2. 2.Configure centralized log collection using a SIEM or log management platform to aggregate logs from all sources
  3. 3.Enable audit logging features on each asset with detailed event types (login attempts, privilege escalation, configuration changes, deletions)
  4. 4.Set retention policies to preserve logs for a minimum of 90 days; apply longer retention for sensitive systems or compliance-critical data
  5. 5.Implement log integrity controls (digital signatures, write-once storage, hash verification) to prevent tampering or deletion
  6. 6.Test log accessibility quarterly by retrieving and reviewing sample logs from the 90-day window
  7. 7.Document your log retention architecture, data flow, and evidence of compliance in your control register
  8. 8.Plan storage capacity to accommodate 90 days of logs at your organization's current event volume

Evidence auditors look for

  • SIEM or log management platform configuration screenshots showing log sources and retention policies set to 90+ days
  • Centralized logging infrastructure diagrams demonstrating log collection from all enterprise assets
  • Audit logs from the past 90 days retrieved and timestamped as evidence of continuous retention
  • System configuration reports showing audit logging enabled on critical assets (servers, databases, firewalls, identity platforms)
  • Storage capacity planning documentation confirming infrastructure supports 90-day retention
  • Log integrity controls documentation (e.g., immutable storage settings, hash verification mechanisms)
  • Incident investigation examples showing logs were available and searchable within the 90-day window
  • Retention policy schedules and automated backup verification reports

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates log retention policy enforcement across your infrastructure and generates audit-ready evidence showing continuous 90-day retention, eliminating manual log verification and audit log management overhead.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 8.1 — Establish Logging and ProcessesCIS 8.2 — Collect Client-Side LogsCIS 8.3 — Collect Server-Side LogsCIS 8.4 — Collect Network Traffic LogsCIS 8.5 — Collect Wireless LogsCIS 8.6 — Collect Authentication and Authorization LogsCIS 8.7 — Collect Detailed Audit LogsCIS 8.8 — Collect System DataCIS 8.9 — Preserve Audit Logs