There is a question auditors started asking in 2024 that was not in their playbooks five years earlier: how do you know this log was not edited last night. The question is awkward to answer if the log is a file on a server that the same engineers who run the application have write access to. It is awkward to answer if the log is in a database table whose schema permits UPDATE. It is awkward to answer if the log was shipped to a SIEM by a forwarder running with the application's own credentials, with no integrity check on what was shipped versus what was received.

For most of the cloud-platform era, "we have logs" was sufficient. The audit conversation focused on whether logs existed, whether they were retained, and whether they covered the right events. Whether the log was, by the time the auditor read it, the same log that was written when the event occurred, was a question that did not usually get asked.

It is the question now. Across every major framework currently in force, the integrity of the audit log itself has been promoted from an implementation detail to a first-class control. The change is consistent enough that "we logged it" is no longer a defensible answer to a regulator asking about audit evidence. This article walks through how each framework has tightened the integrity expectation, what the cryptographic primitives that produce real tamper-evidence look like, and why the architectural baseline is shifting toward hash-chained audit with externally anchored roots.

The shift from "log everything" to "prove the log was not edited"

The companion article on audit-grade evidence as a continuous output covered the broader move from periodic audit to continuous output. The integrity question is the sharp edge of that shift. Once the auditor is reading the platform's own operational record as evidence, the integrity of that record becomes the integrity of the entire audit. If the log could have been edited between the event and the read, the audit conclusion rests on the honesty of whoever had write access in the interim. That is not a posture a regulator wants to depend on.

Two pressures combined to push the change. The first was a series of high-profile breaches in 2023 and 2024 in which the attacker's anti-forensic activity (clearing event logs on staged systems, truncating audit tables, exploiting log retention gaps) materially impeded the investigation. The SEC's 2023 charges against SolarWinds and its CISO referenced inadequate logging in the wake of the 2020 Orion compromise; the Storm-0558 disclosure in 2023 forced Microsoft to expand customer logging at no extra charge after CISA documented investigation-blocking gaps; the MOVEit Transfer breach in 2023 and 2024 saw victim environments where logs were truncated or rotated out before forensic analysis could begin. The pattern in each case was that the integrity and availability of the audit trail itself was the controlling factor in whether the incident could be scoped.

The second was the convergence of framework language. Once PCI DSS 4.0, ISO 27001:2022, the proposed HIPAA Security Rule updates, and the NIS2 Implementing Regulation all separately tightened their treatment of log integrity within the same eighteen-month window, the regulatory posture stopped being incidental. Auditors started asking the integrity question because their own frameworks had moved the question from "consider this" to "evidence this".

What the major frameworks now expect

The pattern is consistent across jurisdictions. The vocabulary differs. The direction does not.

PCI DSS 4.0.1 (international, payments). The 31 March 2025 effective date moved the previously future-dated controls into mandatory status. Requirement 10.3 is now the integrity clause: 10.3.1 limits read access to those with a job-related need; 10.3.2 states that "audit log files are protected to prevent modifications by individuals"; 10.3.3 requires audit logs to be promptly backed up to a secure central log server "or other media that is difficult to modify"; 10.3.4 requires file integrity monitoring or change-detection mechanisms to ensure that existing log data cannot be changed without generating alerts. Requirement 10.5.1 sets a twelve-month retention floor with at least three months immediately available. The Council's framing accepts tamper-evident as the baseline (10.3.4 is detection-and-alert language) while pushing toward tamper-resistant storage as the structural goal (10.3.3 calls for media difficult to modify). The expected QSA finding from 2025 onward is straightforward: an entity with logs but with a privileged role that can DELETE rows from the audit table without triggering an alert is failing 10.3.2 and 10.3.4 simultaneously.

ISO 27001:2022 (international). The 2022 revision merged the three 2013 logging controls (A.12.4.1 through A.12.4.3) into a single Annex A control: A.8.15 Logging. The control statement requires that logs of activities, exceptions, faults, and other relevant events be "produced, stored, protected and analysed". ISO 27002:2022 paragraph 8.15 is explicit on integrity: "logging facilities and log information should be protected against tampering and unauthorized access", with the implementation guidance enumerating the specific tamper categories ("alterations to the message types that are recorded, log files being edited or deleted, storage capacity of the log file media being exceeded"). Control A.5.33 Protection of Records reinforces the integrity requirement: records must be protected from "loss, destruction, falsification, unauthorized access and unauthorized release". Surveillance auditors in the 2025 and 2026 cycles increasingly read these controls together and test substantively: the question is no longer whether logs are protected but how.

SOC 2 (United States, AICPA). CC7.2 expects the entity to monitor system components and operation for anomalies indicative of malicious acts; CC7.3 evaluates security events; CC7.4 covers incident response. The points of focus do not name hash-chained audit specifically, but service auditors have moved toward testing log immutability as part of the operational evaluation. The structural finding pattern is well established: if the same engineers who can SSH into production servers also have write access to the SIEM index, anomaly detection is compromised at its source. Type II reports increasingly include observations on log immutability where the auditor identifies the risk during walkthrough, and the 2022 revised points of focus put more weight on whether monitoring controls actually operate effectively rather than merely existing.

NIST SP 800-53 Rev 5 (United States, federal). AU-9 Protection of Audit Information is the canonical integrity control: "the information system protects audit information and audit tools from unauthorized access, modification, and deletion". AU-9(3) Cryptographic Protection makes the integrity guarantee explicit: "the information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools", and the control discussion specifically names "signed hash functions using asymmetric cryptography" as the recognised mechanism. AU-10 Non-repudiation adds the requirement to protect against falsely denying having performed a particular action. AU-12 covers audit record generation and AU-7 prohibits log reduction or report generation from altering original content or time ordering. NIST SP 800-92 Revision 1, in final public draft from October 2023, explicitly addresses cryptographic log integrity including hash chaining and digital signatures. For FedRAMP Moderate and High systems, AU-9(3) is inherited as a control; 3PAOs find PoA&M items when audit logs are written without signed hashes or equivalent cryptographic protection.

HIPAA Security Rule (United States, healthcare). Section 164.312(b) audit controls is the long-standing audit-log requirement; section 164.312(c)(1) integrity requires policies and procedures to protect electronic protected health information from "improper alteration or destruction", with the addressable 164.312(c)(2) calling for electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorised manner. The December 2024 NPRM strengthens the Security Rule significantly: the addressable-versus-required distinction is removed across the board, audit log retention becomes a defined minimum of six years with documented procedures, and the audit-control implementation is tightened to require documented review procedures and explicit protection of the audit logs themselves from improper alteration. The NPRM preamble references tamper-resistant mechanisms as an example of acceptable controls. The final rule is expected to land in late 2025 or 2026, but covered entities and business associates negotiating contracts in 2026 should already be writing the strengthened expectations into their security baselines.

NIS2 directive (European Union). Article 21(2) lists ten minimum cybersecurity risk-management measures. The Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 translated Article 21(2) into binding technical requirements for the digital infrastructure entities it covers, with the annex calling for a logging policy with defined retention, synchronised time sources, monitoring and detection, and explicit "protection of logs against unauthorised access and modification". ENISA's NIS2 Technical Implementation Guidance is more direct still: "log records and time sources should be protected against tampering and unauthorised access. Logs should be stored separately from the systems generating them, and integrity should be verifiable through cryptographic means where appropriate". The Article 23 reporting timeline (early warning within 24 hours of awareness, full notification within 72 hours, final report within one month with root cause and mitigation) mechanically requires logs whose integrity can be relied on during a forensic investigation conducted under time pressure. An entity that cannot prove which logs are original because logs were stored on the same compromised systems and lack cryptographic integrity protection is failing both Article 21(2) and the implementing regulation.

FINMA (Switzerland). Circular 2023/1 on operational risks and resilience, in force from 1 January 2024, requires comprehensive and reliable logging of critical systems and ICT processes. The cyber risk sections (margin nos. 132 onward) state that logs must be protected against unauthorised changes and stored in a way that ensures their availability and integrity over the legally required retention period. The Swiss banking statutory retention period for business records, including the audit logs that evidence them, is ten years. A ten-year retention requirement effectively forces write-once-read-many storage combined with cryptographic anchoring, because no realistic role-based access control alone covers a decade through staff turnover, infrastructure migrations, and vendor changes.

ADHICS V2 (United Arab Emirates). The Abu Dhabi Department of Health standard establishes audit logging requirements within its monitoring control family. Audit logs of access to protected health information must include user ID, timestamp, and action; centralised log management is required; the SIEM integration mandate is tiered with Tier 1 entities required and Tiers 2 and 3 phased. The standard explicitly requires protection of audit logs from "unauthorised access, modification, or destruction" for the full retention period (six years minimum for health records under UAE Federal Law No. 2 of 2019 on the Use of ICT in Healthcare). Time synchronisation across systems is mandatory. DoH inspection findings in 2025 have flagged hospitals where SIEM is in place but raw event logs on EHR application servers remain writable by application admins; the chain from event generation to SIEM is the integrity boundary, not the SIEM itself.

SAMA Cyber Security Framework (Saudi Arabia). Domain 3.3.14 Cyber Security Event Management requires that events be recorded, logged, and monitored to detect cyber security incidents in a timely manner. Sub-control 3.3.14.1 specifically requires cyber security event logs to be defined, generated, retained, protected from unauthorised changes, and reviewed regularly. 3.3.14.2 mandates a SIEM solution. The Saudi banking ten-year retention requirement applies to the relevant business records. The 2022 SAMA Cyber Resilience Framework, applicable to systemically important institutions, adds requirements on forensic readiness and immutable evidence preservation. The structural finding pattern is the same as elsewhere: a bank whose SIEM ingests logs but cannot prove the logs ingested are the same as those generated, because no hash or chain-of-custody control is in place at the ingestion boundary, is failing the integrity requirement.

Nine frameworks, six jurisdictions. The expectation has converged: log integrity is no longer "consider this", it is "evidence this", and the evidence increasingly has to be cryptographic.

The cryptographic primitives that make tamper-evidence possible

A short primer on what the architectural literature actually means by tamper-evident audit, because the term is overused and the difference between resistance and evidence matters.

Tamper-resistant means modification is hard. A file on a server with strict permissions is tamper-resistant up to the point an attacker obtains those permissions. Storage with write-once-read-many semantics (S3 Object Lock in Compliance Mode, where even the root account cannot delete or modify before retention expires; Azure Immutable Blob Storage; Google Cloud Storage Bucket Lock; on-premises WORM appliances) is tamper-resistant at the storage layer. WORM storage is accepted as compliant media under SEC Rule 17a-4(f), FINRA, FedRAMP, HIPAA, and PCI DSS guidance; AWS publishes a Cohasset Associates attestation for S3 Object Lock specifically.

Tamper-evident means modification is detectable. The most widely deployed pattern is the hash chain: each log entry contains the cryptographic hash of the previous entry, so any modification to an earlier entry invalidates the hash of every subsequent entry. SHA-256 is the dominant primitive in production systems because of FIPS 140-3 validation availability. Verification re-derives the chain from the anchor and confirms each entry's hash matches the next. The whole window is verified together; tampering anywhere in the chain shows up the moment the verifier walks it.

Merkle trees generalise the hash chain to allow O(log n) inclusion proofs. Given a signed root, a verifier can confirm a single entry's presence with log-depth hashes, which is what makes Certificate Transparency, Sigstore Rekor, and most public transparency logs use Merkle trees rather than flat chains. The architectural pattern in modern audit systems combines them: a hash chain at the leaf level provides strict-order forensics, periodically rolled up into a Merkle tree whose root is signed and externally anchored.

Signed log roots add accountability. The chain head, or the Merkle root over a window of entries, is signed with a private key (HSM-backed in regulated contexts: FIPS 140-3 Level 3, or a cloud KMS with HSM backing). The signed root becomes the integrity anchor for that window. The signer attests, at signing time, that the chain matched what they computed.

External anchoring removes single-actor trust. Even a signed hash chain can be rewritten by an attacker who compromises both the log and the signing key. External anchoring publishes the signed root somewhere outside the system's control: an RFC 3161 timestamping authority (used heavily in eIDAS qualified electronic timestamp contexts), a public transparency log (Sigstore Rekor, RFC 9162 Certificate Transparency v2, witness gossip systems), or a public blockchain via OpenTimestamps or similar batching service. After external anchoring, an attacker would need to compromise the external system as well, which materially raises the cost.

The architectural baseline emerging in 2025 and 2026 framework guidance and vendor reference designs combines all four. Hash-chained leaves on the producing host, rolled into a signed Merkle root on a fixed cadence, externally anchored, stored on WORM media with retention matching the strictest applicable framework. Verification tooling is published and exercisable so an auditor can re-derive the chain, validate signatures, and confirm external anchoring without depending on the producer's cooperation.

The failure modes regulators are now finding

The 2024 and 2025 audit cycles produced a recurring set of integrity-failure patterns that map directly onto the framework requirements above.

The most common is unrestricted write access from operational roles. The engineers who deploy the application, or the database administrators who maintain the database, have the same credentials that would let them edit the audit table or the log file. The framework requirement (PCI 10.3.2, ISO A.8.15, AU-9, FINMA Circular 2023/1) is that logs are protected from modification by individuals; the architecture as built is that logs are protected from modification by everyone except the people with the highest level of access. Auditors stopped accepting the latter as the former around the time the framework language tightened.

The second is the chain-of-custody gap at log ingestion. Logs are produced on application servers, shipped to a centralised collector or SIEM, and stored. If the integrity guarantee starts only at the SIEM, an attacker who tampered with the log on the producing host before shipment has succeeded silently. ADHICS V2 inspections explicitly flag this pattern; ENISA's NIS2 guidance addresses it by requiring logs be stored separately from the systems generating them. The architectural fix is to compute the hash on the producing host (or in a sidecar) and verify the chain at the collector, so the integrity boundary extends back to the event source.

The third is reliance on storage-layer WORM without data-layer integrity. WORM storage prevents modification once data is written, but it does not prevent the wrong data from being written. An attacker who compromised the application could write fabricated entries into the WORM-backed log, and the WORM property would faithfully preserve them. The combination required by modern framework guidance, and increasingly tested by regulators, is WORM at the storage layer plus hash chaining plus signed roots at the data layer. Storage WORM gives tamper-resistance; data-layer cryptography gives tamper-evidence; together they cover what either alone misses.

The fourth is missing or weak time synchronisation. Every framework reviewed above names synchronised time as a requirement. An auditor reconciling an incident timeline across application logs, network logs, identity logs, and SIEM logs needs the timestamps to be derived from a common authoritative source. The structural finding when this is missing is that the timeline cannot be reconstructed, which makes the entire audit trail less reliable regardless of how strong its integrity guarantees are.

The questions that distinguish tamper-evident from tamper-claimed

A short, uncomfortable checklist for any team looking at their current logging or evaluating a new platform.

  1. Can the platform demonstrate that a privileged operator cannot modify the audit log without leaving cryptographic evidence? Not "we have RBAC". Not "logs are read-only for most users". A specific demonstration: show the log, show what a modification attempt would do, show the verification tooling that would detect it. If the answer requires trusting that the right people will not abuse their access, the platform is tamper-claimed, not tamper-evident.
  2. Where does the integrity guarantee begin? At the application, the collector, or the storage tier? If it begins at the SIEM, the producing host is the weak link. The integrity boundary should extend back to the event source.
  3. Is the chain externally anchored, or only signed? A signed hash chain with an internal key is verifiable but rewritable by anyone who compromises the key. External anchoring (RFC 3161 TSA, transparency log, blockchain) removes the single-actor trust.
  4. Can the auditor re-verify the chain without the vendor's cooperation? Published verification tooling, exportable signed roots, and documented anchoring make this exercisable. A platform that promises tamper-evidence but provides no verification mechanism is making a claim, not a demonstration.
  5. Does the WORM retention match the strictest applicable framework? FINMA and SAMA banking records: ten years. HIPAA (under the strengthened rule): six years. ADHICS health records: six years. PCI DSS: twelve months with three immediately available. If the storage tier ages out evidence before the framework's retention requirement, the integrity at year one does not help at year five.

A platform that answers each with an artefact rather than a paragraph is producing tamper-evident audit. A platform that "uses immutable storage" without exposing the cryptographic chain is using a marketing word for an architectural property that is not quite what regulators are now asking for.

The architectural answer

The audit-log architecture that survives 2026 framework scrutiny is no longer just "log to a centralised store with strict access controls". It is a layered structure where the integrity guarantee starts at the event source, is verifiable independently of the system that produced it, and is preserved on storage that matches the strictest retention requirement the institution is subject to. This is the architecture behind Novantra's audit stream.

Hash chaining on the producing host (or in a sidecar) gives ordered, tamper-evident events from the moment they are written. Shipping over mutually authenticated TLS to a collector that cannot be reached by the producer's local credentials preserves the chain at the integrity boundary. Periodic rollup into a Merkle tree, signed with an HSM-resident key, gives accountable attestation that the collector saw what it claims. External anchoring of the signed root (RFC 3161 timestamping for European long-term archive use cases, Sigstore Rekor or similar transparency log for software supply chain contexts, witness gossip for newer designs, blockchain anchoring where the operational overhead is acceptable) removes the dependence on the signer's continued integrity. WORM storage (S3 Object Lock Compliance Mode, Azure Immutable Blob Storage, equivalent on-prem WORM) underneath all of it preserves what was written for the retention horizon the framework requires. Novantra's Sovereign deployment lets the whole chain run inside the customer's own infrastructure when residency or jurisdiction demands it.

Verification tooling is the part most often missing. A tamper-evident architecture is only useful to an auditor if the auditor can run the verification independently. A platform that publishes its chain format, its signing key history, its anchoring records, and a command-line tool to re-derive and check the chain end-to-end has moved the integrity question from claim to demonstration. The companion article on audit-grade evidence as a continuous output covers why evidence has to be continuously produced; this is the integrity layer that makes the continuous evidence trustworthy when the auditor reads it.

None of this is a feature. Each layer is an architectural answer to a question every major framework is now asking out loud: when the auditor reads the log, how do they know the log is what it was when it was written. A platform that started with append-only events, hash chaining, signed roots, external anchoring, and WORM storage has the structural answer in place. A platform that started with a log table and a deletion policy cannot retrofit any of this without rebuilding the audit layer from scratch. The frameworks have moved. The architecture has to follow.