Cloud Logging Evidence for ISO 27017

ISO 27017 doesn’t just want “we have logging.” It wants proof that cloud logging is enabled, protected, reviewed, and acted on matching your shared-responsibility model.
This guide shows exactly what auditors ask for, what evidence to collect, and how to package it cleanly in SharePoint using practical AWS and Azure examples.

• What is your cloud logging standard (what must be logged, retention, review cadence)?
• Who owns cloud logging (platform/security/IT)?
• How do you validate logging is enabled across all environments?

• Which accounts/subscriptions are in scope?
• Are logs enabled in all regions (AWS) / subscriptions (Azure)?
• Do you log admin activity, sign-ins, security control changes, and sensitive access?

• Who can view logs? Who can delete/modify them?
• Is storage protected (restricted roles, separate account/workspace, immutability where feasible)?
• Do you alert on logging being disabled or tampered with?

• What alerts exist and who responds?
• Show a sample alert → ticket → investigation → closure chain.
• How often do you review logs and how is it evidenced?

• What is your retention period for audit/security logs?
• Is retention enforced technically (not just in policy)?
• What happens when retention changes?

• Is CloudTrail enabled in all regions?
• Is it an Organization trail (covers all accounts)?
• Where are logs stored and who can access them?
• Are logs protected from deletion/tampering?

• org trail + multi-region enabled (export/screenshot)
• delivery to centralized S3 bucket
• log file validation enabled (if used)
• S3 bucket policy: restricted write/read roles
• S3 lifecycle: retention + archival
• alerts: CloudTrail stopped, S3 policy changed, root activity, IAM policy changes

• alarm list (or key alarms) export
• sample alarm → ticket → resolution
• on-call/notification path

• AWS Config enabled across accounts/regions
• key managed rules or conformance packs (if used)
• sample finding → remediation ticket → closure evidence

• detection rules for root console login
• alerting on new access keys and policy attachment changes
• changes to MFA settings and admin role changes
• sample alert evidence (or tabletop record if no real alerts)
• privileged access review evidence (quarterly)

• diagnostic settings sending Activity Log to Log Analytics and/or storage
• subscription coverage evidence (list of subscriptions configured)
• retention settings (Log Analytics retention and/or storage lifecycle)
• alert rules: role assignment changes, policy changes, diagnostic settings modifications

• sign-in/audit log access and retention evidence
• Conditional Access policy evidence (MFA/admin restrictions)
• sample alert/ticket for risky sign-in or admin change
• quarterly privileged role review (Global Admin, etc.)

• alert rules (key ones)
• sample incident record showing triage and containment
• playbooks/runbooks (if used)

• key Azure Policies assigned (and scope)
• compliance report snapshot
• exception/risk acceptance records for exemptions

• period covered
• reviewer name
• what was checked (admin actions, sign-in anomalies, logging health)
• findings + follow-up tickets
• approval/sign-off

• 2–3 examples per quarter if possible
• include misconfiguration finding evidence
• use a tabletop record if you lack real alerts

• log ingestion stopped
• diagnostic settings changed
• log storage policies modified
• retention reduced
• CloudTrail/Activity Log disabled

• control register mapped to ISO 27017 / SOC 2
• evidence library with metadata (control ID, period, owner)
• automated reminders for monthly/quarterly log reviews
• Teams approvals for sign-offs and exceptions
• an Auditor View to share only what’s required

• auditor question script
• AWS evidence list (CloudTrail, Config, CloudWatch)
• Azure evidence list (Activity Log, Entra logs, Monitor)
• operating effectiveness templates (log review + alert chain)
• SharePoint evidence pack structure