GRCWatch
Sign inStart free trial

CIS Control 8.12: Collect Service Provider Logs

Service provider logs are critical for detecting unauthorized access, tracking data changes, and demonstrating compliance to auditors. CIS Control 8.12 requires organizations to systematically collect logs from third-party services that support their operations. Without centralized log collection, you lose visibility into vendor actions that affect your security posture.

What this means

This control requires you to collect and retain logs from service providers across authentication events, authorization changes, data creation and deletion, and user management activities. The goal is to maintain a complete audit trail of who did what, when, and where—especially for critical business services. Where service providers support log collection, you must implement the mechanisms to aggregate and retain these logs for investigation and compliance verification.

How to comply

  1. 1.Identify all service providers that support logging and document their log collection capabilities
  2. 2.Configure each service provider to export authentication and authorization event logs
  3. 3.Set up automated log collection for data creation, modification, and disposal events
  4. 4.Establish centralized log aggregation to consolidate provider logs with internal systems
  5. 5.Define retention policies that meet your compliance requirements (typically 90+ days minimum)
  6. 6.Implement log monitoring and alerting for suspicious service provider activities
  7. 7.Conduct quarterly reviews of collected logs to ensure completeness and accuracy

Evidence auditors look for

  • Service provider log export configurations showing enabled authentication event logging
  • Centralized SIEM dashboard displaying aggregated logs from 3+ active service providers
  • Data governance logs showing creation, modification, and deletion timestamps from cloud services
  • User management event logs capturing role changes and permission updates from SaaS platforms
  • Log retention policy documentation confirming minimum storage periods
  • Audit trail reports from service providers (Okta, Salesforce, AWS, Slack, etc.) for past 90 days
  • Monitoring dashboards with alerts configured for failed authentication attempts from vendors

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

See how GRCWatch handles this control automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 8.1 — Establish Logging Standards and ProcessesCIS Control 8.2 — Collect Audit LogsCIS Control 8.5 — Collect Detailed Audit LogsCIS Control 8.11 — Collect Authentication and Authorization Logs