An append-only audit log that stands up to scrutiny

Auditors ask 'who changed this policy?' — regulators ask 'when did you know?' — buyers ask 'how do you know your controls are being applied?'. All three want the same thing: a tamper-evident, timestamped record of every action in your management system. ISO-STANDARD.app gives you one — natively.

Audit logs aren't optional any more

ISO 27001 A.8.15, SOC 2 CC7.2, PCI DSS Req 10, DORA and NIS2 all mandate logging that supports investigation and accountability. The bar keeps rising: raw logs aren't enough — auditors want a purpose-built record of management-system events, not just system syslog.

A shared drive with edit history doesn't clear that bar. An append-only ledger, held by the platform, does.

What's in the box

Every change, every actor, every timestamp

Policy edits, control status changes, risk score updates, evidence uploads, attestations, access changes — all captured.

Append-only, tamper-evident

Rows can't be edited or deleted; corrections are new entries. Cryptographic hash chain for defensibility.

Powerful filtering

Filter by actor, entity, action, date range. Export the slice your auditor asked for.

Access-scoped

Admins see everything; members see only what their role permits. The log itself has an access log.

Linked to entities

Every log row links back to the risk, control, policy, evidence, or user it concerns.

Auditor-friendly export

CSV / JSON export with the exact fields your auditor's fieldwork asks for.

Why a purpose-built log matters

Append-only
Rows can't be edited or deleted
Hash-chained
Tamper evidence baked in
Per-entity
Trace every risk / control / policy change
Export
CSV/JSON for the auditor's fieldwork

How buyers verify you — in minutes, not weeks

A defensible log turns 'we do that' into 'here's the record'.

  1. Step 1

    Auditor asks for change history

    Filter by entity → every edit, with who, when and old/new values. No screenshots required.

  2. Step 2

    Regulator investigates an incident

    Timeline reconstruction from the log: when the risk was raised, when the control was applied, when the evidence was captured.

  3. Step 3

    Buyer asks 'how do you enforce SoD?'

    Log shows role changes, admin actions and approval workflows — separation of duties visible, not asserted.

  4. Step 4

    Internal review

    Board or ARC pack pulls activity metrics — attestation rates, review-cycle adherence, evidence freshness — from the log.

The artifacts buyers actually ask for

Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"

Policy edit history with actor and timestamp
Control status change ledger
Risk score revisions with justification
Evidence upload and supersede timeline
Attestation ledger per policy version
Access change log (joiner / mover / leaver)
Admin-action audit trail
Auditor-scoped read access with expiry

Who it's for

ISMS / compliance lead heading into audit

Pain: Auditor asks 'how did this risk get to residual low?' — the answer lives in someone's memory.

With ISO-STANDARD.app: One filter → full history, actor, date, justification.

Regulated business under DORA / NIS2 / FCA

Pain: Regulator asks for a post-incident reconstruction; existing logs don't cover management-system actions.

With ISO-STANDARD.app: A defensible ledger of every governance change, tamper-evident and exportable.

Board member asking how the ISMS is really running

Pain: You get policy dashboards but no accountability data.

With ISO-STANDARD.app: Actor-based metrics: who is doing what, when, and how often.

Deal-close moment
"The auditor asked us three questions we couldn't have answered from a Google Drive. Two filter clicks each — done."
Compliance Manager, Financial services, 60 employees

Answers buyers, procurement and auditors want

Can the log be edited?+

No. Rows are append-only. Corrections are new entries referencing the original.

How long is it retained?+

Retention is configurable per organisation, defaulting to a period aligned to ISO 27001 and SOC 2 expectations.

Does it capture read events?+

Read access to sensitive artifacts (report downloads, DPA shares, evidence access) is logged; routine screen views are not, to keep the record signal-rich.

Can I export for a specific auditor scope?+

Yes — filter by entity, actor, date and action; export CSV or JSON with just the fields the auditor needs.

Is the log itself protected?+

Yes — access to the log is role-scoped and access to the log is itself logged.

Related

Pair with the evidence vault, policy attestations and Trust Center.

Give your audit log the credibility your auditor expects

Every action, every actor, every timestamp — append-only, tamper-evident, exportable. The defensible record your buyers and regulators want.

Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.

MM
Michael McCarroll
Founder · 25+ years
IT governance · Information security · AI
Why this platform exists

Enterprise-grade governance — built for the SMEs and consultants enterprise GRC forgets.

I've spent 25 years in corporate governance — aligning technology, controls and compliance with what the business is actually trying to do. Time and again, the same pattern: the organisations that win new clients aren't the ones with the biggest GRC budget. They're the ones who can demonstrate trust on demand. This platform is the tool I wanted for the SMEs and consultants I've worked with — institutional-grade governance without an institutional price tag, built on the way audits and buyer reviews actually happen.