← Controls / AU

AU-12 Audit Record Generation

Audit and Accountability

Low Moderate High

Description

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-02a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be audited by specific components of the system; and c. Generate audit records for the event types defined in AU-02c that include the audit record content defined in AU-03.

Supplemental Guidance

Audit records can be generated from many different system components. The event types specified in AU-02 are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

Changes from Rev 4

No significant changes from Rev 4.

Compliance Mappings

ISO 27001:2022

7.5A.8.15

ISO 27002:2022

8.15

CIS Controls v8

CIS 3.14CIS 8CIS 8.2

NIST CSF 2.0

DE.CM-03PR.PS-04

PCI DSS v4.0.1

10.2

CSA CCM v4

LOG-11

CSA AICM v1

LOG-11

FINOS CCC

CCC-C04CCC-C17

IEC 62443

3-3 SR 2.8

APRA CPS 234

Para 22-23

BSI IT-Grundschutz

OPS.1.1.5

ANSSI

Hygiene.29SecNumCloud.13.7

EU DORA

Art.10(1)

BIO2

8.15

RBI CSF

Annex1.16Annex1.17ITGRCA.15

FISC Security Guidelines

FISC.O2

HKMA TM-E-1

TME1.4.2TME1.5.2TME1.8.2

MLPS 2.0

8.1.3.58.1.4.3

EU CRA

CRA.I.2l

SWIFT CSCF

SWIFT.6.4

NCA ECC

2-12

UAE IA

T7

CBB TM

TM-12

Qatar NIA

OS

CBUAE

CR-3

CBE CSF

CD-1

SA JS2

JS2-7.3

CBN CSF

Part3.5

BoG CISD

CISD-VII

BoM CTRM

4.2

IOSCO Cyber Resilience

DET-1DET-4

BCBS 239

Principle 4

CPMI-IOSCO PFMI

CG.DEPFMI.P17

FFIEC IS

II.C.15II.C.18III.B

NYDFS 500

500.6

HIPAA Security Rule

§164.308(a)(1)(ii)(D)§164.308(a)(5)(ii)(C)§164.312(b)

ECB CROE

CROE.2.4

EBA ICT Guidelines

3.4.53.5(c)

SEBI CSCRF

DE.AUDE.DP

BOT Cyber Resilience

Ch3.1

CMMC 2.0

AU

10 CFR 73.54

RG5.71-A-AU

IEEE 1686-2022

5.2

PCI PTS v6

L

TIBER-EU

TIBER.BT

PCI HSM

68

Common Criteria

CC Part 2 — FAU

ISAE 3402

Clause 4

Lloyd's Minimum Standards

MS2.1MS8.12

NAIC Insurance Data Security

4-audit4B

PRA SS1/23

P-IT.2P3.3P3.4

FCA SYSC 13

SYSC 13.7.5

HITRUST CSF v11

09.g

FDA 21 CFR Part 11

§11.10(e)§11.50

FDA Cybersecurity Guidance

SA-5

ISO 27799

12.49.2

CCSS v9.0

1.04.51.05.22.04.1

MiCA

Art.63(2)Art.67(1)Art.68(1)Art.69(1)Art.70(1)Art.72(1)Art.86(1)Art.88(1)Art.92(1)Art.82(1)

BSSC Standards

NOS-06

SEC Custody (Digital Assets)

SEC-CD-15