MON-003 Log Retention
Description
Audit logs are retained for a minimum period that meets regulatory and contractual requirements — typically 12 months online and up to 24 months in cold storage. Retention periods are documented and enforced through automated policy. Logs are accessible for investigation throughout the retention window.
Rationale
Many incidents and compliance reviews require evidence from months prior to discovery. Insufficient retention windows destroy forensic capability.
Framework Mappings (4)
| LOG-02 | Audit Logs Protection | partial |
| EU-AI-Art.16.4 | Provider Obligations — Log Retention | partial |
| EU-AI-Art.26.5 | Deployer Obligations — Log Retention | partial |
| AU-11 | Audit Record Retention | full |
Evidence (2)
Log retention policy configuration showing automated enforcement of minimum retention periods and tiered storage (online and cold storage) for audit logs.
Example: AWS S3 lifecycle policy for log buckets showing transition to Glacier and expiry dates; CloudWatch Logs retention setting; or equivalent automated retention policy configuration with retention duration visible
Test: Review log retention configuration for all log storage locations. Verify: (1) online retention is at least 12 months; (2) total retention (including cold storage) meets the documented policy and any applicable regulatory requirement (e.g., 24 months); (3) lifecycle policies are automated, not manual; (4) logs are queryable throughout the online retention window.
Log retention policy defining minimum retention durations by log type, storage tiers, and regulatory basis for retention periods.
Example: Log Retention Policy or Data Retention Schedule (version-controlled, approved within last 12 months) showing retention periods by log category and alignment to regulatory requirements
Test: Request the log retention policy. Verify: (1) minimum retention periods are specified for each log category; (2) the policy references applicable regulatory requirements (e.g., GDPR, contractual SLAs); (3) tiered storage approach is described; (4) the policy is approved by a named owner and reviewed within the last 12 months.
Questions (2)
Are audit logs retained for a minimum period meeting regulatory and contractual requirements, with retention periods documented and enforced through automated policy?
The minimum expected retention is 12 months online and up to 24 months in cold storage. Retention policies should be automated, not dependent on manual archiving.
What is the current minimum retention period for audit logs in your environment?
12 months online with extended cold storage is the standard expectation. For organisations subject to the EU AI Act or GDPR enforcement, ensure retention aligns to applicable regulatory timelines.