GRCWatch
Sign inStart free trial

CIS Controls 8.3: Ensure Adequate Audit Log Storage

Audit logs are only valuable if you can actually store and access them. CIS Controls 8.3 requires organizations to maintain sufficient storage capacity to support their audit log management policies—preventing data loss and ensuring compliance investigations succeed. Without proper storage planning, your logs become liabilities instead of assets.

What this means

This control mandates that your logging infrastructure has adequate capacity to store logs according to your enterprise's defined retention periods. It's about ensuring logging destinations (SIEM systems, cloud storage, databases) won't overflow, truncate historical records, or force premature deletion of evidence needed for security investigations and compliance audits.

How to comply

  1. 1.Calculate total log volume generated daily across all systems, applications, and endpoints
  2. 2.Define retention periods based on regulatory requirements and your incident response needs
  3. 3.Multiply daily volume by retention period to determine required storage capacity
  4. 4.Add 20-30% buffer for growth and unexpected log increases
  5. 5.Implement automated log rotation and archival policies to manage active storage
  6. 6.Monitor storage utilization monthly and establish alerts at 70-80% capacity thresholds
  7. 7.Document storage capacity decisions and review them annually during policy updates

Evidence auditors look for

  • Storage capacity planning spreadsheet showing daily log volume calculations and retention requirements
  • Logging infrastructure specifications documenting disk allocation and scalability provisions
  • SIEM or log management tool configuration confirming retention policies and storage limits
  • Monitoring dashboards showing storage utilization trends and capacity headroom
  • Change management records for storage expansions or upgrades
  • Annual capacity reviews demonstrating proactive planning adjustments
  • Incident response procedures referencing log availability and historical data access

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically tracks your logging infrastructure capacity and alerts you when storage utilization approaches thresholds, eliminating manual calculations and preventing compliance gaps from insufficient audit log storage.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 8.1 — Establish Audit Logging ProcessesCIS Controls 8.2 — Collect Audit LogsCIS Controls 8.4 — Standardize Time SynchronizationCIS Controls 8.5 — Protect Audit Log Integrity