PCI DSS 10.5.1.1: Retaining Audit Log History for At Least 12 Months
Audit log retention is a foundational PCI DSS requirement that protects your organization's ability to detect, investigate, and respond to security incidents. Control 10.5.1.1 mandates that all audit log history be retained for a minimum of 12 months, with at least 3 months of logs available for immediate online review. Failing to maintain adequate log history can result in failed audits and increased vulnerability to undetected breaches.
What this means
This control requires your organization to establish and enforce a retention policy that keeps all audit logs—including access logs, system activity logs, and security event logs—for at least 12 months. Logs must be stored securely and remain accessible for investigation and forensic analysis. The first 3 months of logs should be readily available online; older logs may be archived but must remain retrievable within a reasonable timeframe.
How to comply
- 1.Define and document an audit log retention policy specifying 12+ month retention periods
- 2.Configure logging systems (servers, databases, firewalls, applications) to retain logs according to policy
- 3.Establish automated log archival procedures to move logs older than 3 months to secure offline storage
- 4.Implement secure log storage with encryption and access controls to prevent tampering or unauthorized deletion
- 5.Test log restoration procedures regularly to ensure archived logs can be retrieved when needed
- 6.Monitor log storage capacity and scale infrastructure to accommodate 12 months of log data
- 7.Document and communicate retention procedures to all relevant teams
Evidence auditors look for
- Written audit log retention policy approved by management
- System configuration screenshots showing log retention settings (e.g., syslog servers, SIEM)
- Automated archival job logs demonstrating regular movement of aged logs to storage
- Storage inventory showing sufficient capacity for 12 months of log data
- Encryption and access control documentation for log storage locations
- Log restoration test results confirming successful retrieval of archived logs
- Audit reports from SIEM or log management platform showing log volume and retention status
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically aggregates logs from your infrastructure and enforces 12-month retention policies with one-click archival configuration, eliminating manual retention management and audit log compliance gaps.
See how GRCWatch handles this control automatically
Start free trial