alt Hacker NewsThat point should not require "reading between the lines" and that's why other standards (e.g. PCI) require explicitly that the logs are sent to a separate "central server" that provides guarantees of immutability.
That point should not require "reading between the lines" and that's why other standards (e.g. PCI) require explicitly that the logs are sent to a separate "central server" that provides guarantees of immutability.
Standards like ISO27001 and such are deliberately not prescriptive in that way. You might argue that this makes them less useful, and I would agree…
The standard states that you should do something about X, and perhaps that your choice of how to do X should have property Y, but won't go into thither specifics. All the certificate you have, of you have one, really says is that you seem to have covered the relevant points in what you decided to do, and that you are actually implementing what you decided to do. This is one of the reasons why, despite companies having a pile of certificates like that, large prospective clients send a huge questionnaire to anyone wishing to tender for a job: the questionnaire on post fills in the gaps by requesting further detail on how you implemented the requirements of the standard (and in many cases makes it obvious that their are wrong answers that you could give).