← Controls / AU

AU-11 Audit Record Retention

Audit and Accountability

Low Moderate High Privacy

Description

The organization retains audit records for [Assignment: organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental Guidance

The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated. NIST Special Publication 800-61 provides guidance on computer security incident handling and audit record retention.

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

7.5A.5.28A.5.33A.8.15

ISO 27002:2022

5.285.338.15

CIS Controls v8

CIS 3.4CIS 8CIS 8.10CIS 8.3

NIST CSF 2.0

RS.AN-06RS.AN-07

SOC 2 TSC

C1.2

PCI DSS v4.0.1

10.5

CSA CCM v4

LOG-02LOG-09

CSA AICM v1

LOG-02LOG-09

ISO 42001:2023

A.6.2.8

PRA Operational Resilience

SS2/21-13.1

BSI IT-Grundschutz

OPS.1.1.5

ANSSI

Hygiene.29SecNumCloud.13.7

FINMA Circular 2023/1

IV.C(66)IV.D(82)IV.E(83)

OSFI B-13

B-13.3.3

EU GDPR

Art.17(1)Art.5(1)(e)

EU DORA

Art.10(1)Art.19(4)

BIO2

5.285.338.15

RBI CSF

Annex1.16ITGRCA.15

FISC Security Guidelines

FISC.O11FISC.O7

LGPD + BCB 4893

BCB.Art.20BCB.Art.9LGPD.Art.15-16

MLPS 2.0

8.1.4.3

DNB Good Practice

DNB.12.1

EU CRA

CRA.I.2l

NCA ECC

2-12

UAE IA

T7

CBB TM

TM-12

Qatar NIA

OS

BoG CISD

CISD-COMP

POPIA

s14

IOSCO Cyber Resilience

DET-1

BCBS 239

Principle 4

FFIEC IS

III.B

NYDFS 500

500.6

HIPAA Security Rule

§164.308(a)(1)(ii)(D)§164.312(b)§164.316(b)(2)(i)

EBA ICT Guidelines

3.4.53.5(c)

SEBI CSCRF

DE.AURS.AN

CMMC 2.0

AU

PCI HSM

10

Common Criteria

CC Part 2 — FAU

Solvency II

Pillar3-Reporting

Lloyd's Minimum Standards

MS13.2MS8.12

NAIC Insurance Data Security

4-audit

PRA SS1/23

P-IT.2P5.5

FCA SYSC 13

SYSC 13.G.4

HITRUST CSF v11

06.b09.g11.c

FDA 21 CFR Part 11

§11.10(b)§11.10(c)§11.10(e)

ISO 27799

12.4

CCSS v9.0

2.03.12.04.3

MiCA

Art.63(2)Art.67(1)Art.82(1)

Basel SCO60

SCO60.11SCO60.62SCO60.63SCO60.66SCO60.70SCO60.71SCO60.73SCO60.74SCO60.82

BSSC Standards

GSP-12

SEC Custody (Digital Assets)

SEC-CD-14SEC-CD-15SEC-CD-18SEC-CD-20

ISO 17799 (legacy)

10.10.115.1.3

COBIT 4.1 (legacy)

None.