An append-only audit log that stands up to scrutiny
Auditors ask 'who changed this policy?' — regulators ask 'when did you know?' — buyers ask 'how do you know your controls are being applied?'. All three want the same thing: a tamper-evident, timestamped record of every action in your management system. ISO-STANDARD.app gives you one — natively.
Audit logs aren't optional any more
ISO 27001 A.8.15, SOC 2 CC7.2, PCI DSS Req 10, DORA and NIS2 all mandate logging that supports investigation and accountability. The bar keeps rising: raw logs aren't enough — auditors want a purpose-built record of management-system events, not just system syslog.
A shared drive with edit history doesn't clear that bar. An append-only ledger, held by the platform, does.
What's in the box
Every change, every actor, every timestamp
Append-only, tamper-evident
Powerful filtering
Access-scoped
Linked to entities
Auditor-friendly export
Why a purpose-built log matters
How buyers verify you — in minutes, not weeks
A defensible log turns 'we do that' into 'here's the record'.
- Step 1
Auditor asks for change history
Filter by entity → every edit, with who, when and old/new values. No screenshots required.
- Step 2
Regulator investigates an incident
Timeline reconstruction from the log: when the risk was raised, when the control was applied, when the evidence was captured.
- Step 3
Buyer asks 'how do you enforce SoD?'
Log shows role changes, admin actions and approval workflows — separation of duties visible, not asserted.
- Step 4
Internal review
Board or ARC pack pulls activity metrics — attestation rates, review-cycle adherence, evidence freshness — from the log.
The artifacts buyers actually ask for
Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"
Who it's for
Pain: Auditor asks 'how did this risk get to residual low?' — the answer lives in someone's memory.
With ISO-STANDARD.app: One filter → full history, actor, date, justification.
Pain: Regulator asks for a post-incident reconstruction; existing logs don't cover management-system actions.
With ISO-STANDARD.app: A defensible ledger of every governance change, tamper-evident and exportable.
Pain: You get policy dashboards but no accountability data.
With ISO-STANDARD.app: Actor-based metrics: who is doing what, when, and how often.
"The auditor asked us three questions we couldn't have answered from a Google Drive. Two filter clicks each — done."
Answers buyers, procurement and auditors want
Can the log be edited?+
No. Rows are append-only. Corrections are new entries referencing the original.
How long is it retained?+
Retention is configurable per organisation, defaulting to a period aligned to ISO 27001 and SOC 2 expectations.
Does it capture read events?+
Read access to sensitive artifacts (report downloads, DPA shares, evidence access) is logged; routine screen views are not, to keep the record signal-rich.
Can I export for a specific auditor scope?+
Yes — filter by entity, actor, date and action; export CSV or JSON with just the fields the auditor needs.
Is the log itself protected?+
Yes — access to the log is role-scoped and access to the log is itself logged.
Related
Pair with the evidence vault, policy attestations and Trust Center.
Give your audit log the credibility your auditor expects
Every action, every actor, every timestamp — append-only, tamper-evident, exportable. The defensible record your buyers and regulators want.
Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.