Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 10164-8-95 (2003): Technical Guide to the Security Audit Trail Function in OSI Systems Management
Scope, requirements, and compliance aspects of the OSI audit trail standard for secure network management
Scope and Objectives of IEC 10164-8-95
IEC 10164-8-95 (2003) is the third edition of the standard formally titled Information technology – Open Systems Interconnection – Systems Management: Security Audit Trail Function. Developed jointly by ISO and IEC under JTC 1, it specifies the security audit trail management function that enables the collection, storage, and retrieval of security-related events within an OSI management environment. The standard defines a model, service, functional units, and protocol for the creation, suspension, resumption, and deletion of audit trails, as well as the generation and transfer of audit records.
The primary objective is to provide a standardized mechanism for detecting and analyzing security-relevant incidents across interconnected open systems. By defining a common management information service (CMIS)-based interface and managed object definitions, the standard ensures interoperability between audit trail implementations from different vendors. The standard applies to any OSI management domain that requires logging of security events such as authentication failures, unauthorized access attempts, configuration changes, and system integrity violations.
Scope tip: IEC 10164-8-95 builds upon the OSI management framework and complements other parts of the ISO/IEC 10164 series, particularly ISO/IEC 10164-7 (Security Alarm Reporting Function) and ISO/IEC 10164-9 (Objects and Attributes for Access Control).
Technical Requirements and Core Components
Audit Trail Model
The standard defines an audit trail as a sequence of audit records that are generated in chronological order by one or more managed objects. Each audit record encapsulates information about a security-relevant event. The model includes two primary managed object classes:
- auditTrail – represents the logical collection of audit records and provides operations such as create, delete, suspend, and resume.
- auditRecord – represents a single logged event and contains attributes such as event type, event outcome, event time, source, target, and additional information.
Services and Functional Units
IEC 10164-8-95 defines nine services grouped into functional units:
| Service | Description | Functional Unit |
|---|---|---|
| AUDIT-TRAIL-GET | Retrieve current audit trail attributes | Audit Trail |
| AUDIT-TRAIL-CREATE | Instantiate a new audit trail | Audit Trail Management |
| AUDIT-TRAIL-DELETE | Remove an existing audit trail | Audit Trail Management |
| AUDIT-TRAIL-SUSPEND | Pause logging to an audit trail | Audit Trail Management |
| AUDIT-TRAIL-RESUME | Re‑enable logging after suspension | Audit Trail Management |
| SECURITY-EVENT-REPORT | Report a security-relevant event | Security Audit |
| AUDIT-RECORD-DISCARD | Discard aged or unneeded records | Audit Trail Management |
| AUDIT-TRAIL-SET | Modify audit trail attributes (e.g., size limit) | Audit Trail Management |
| DISCRIMINATOR-OPERATION | Filter events based on configurable criteria | Security Audit |
Audit Record Structure
Every audit record within IEC 10164-8-95 contains at least the following mandatory and optional fields:
| Attribute | Type | Mandatory | Description |
|---|---|---|---|
| eventType | OBJECT IDENTIFIER | Yes | Identifies the kind of event (e.g., illegalAccess, authenticationFailure) |
| eventOutcome | ENUMERATED | Yes | Success, failure, or unknown outcome of the event |
| eventTime | GeneralizedTime | Yes | Timestamp of event occurrence (synchronized to UTC) |
| sourceIdentifier | GraphicString | Yes | Identity of the entity that caused the event |
| targetIdentifier | GraphicString | Conditional | Identity of the managed object targeted by the event |
| additionalInfo | SET OF Attribute | No | Extended details specific to the event type |
Implementation caution: Clocks in distributed OSI systems must be synchronized using protocols such as NTP or the OSI Time Management standard (ISO/IEC 10164-16). Inconsistent timestamps cause misordering and hinder forensic analysis.
Implementation and Deployment Considerations
Deploying IEC 10164-8-95 within a real network requires integrating the audit trail function with the systems management infrastructure that uses CMIP (Common Management Information Protocol) over OSI stack or TCP/IP. The standard specifies ASN.1 definitions for the managed object classes and protocol data units, ensuring platform‑independent interoperability.
Discriminator-Based Filtering
One of the most powerful features is the use of discriminators to filter which events are recorded. Systems administrators can define filter rules based on event type, source, time of day, or severity. This prevents audit logs from being flooded with trivial events while ensuring that critical security incidents are captured. The standard mandates that at least one audit trail discriminator be present to select events for logging.
Interoperability with Other Standards
The audit trail function is designed to work with the security alarm reporting function (ISO/IEC 10164-7) and the access control management function (ISO/IEC 10164-9). For example, an alarm can trigger the automatic creation of a focused audit trail for deeper investigation. IEC 10164-8-95 also aligns with the ITU-T X.740 series, ensuring consistency with the X.700 management framework.
Success pattern: When combined with ISO/IEC 15408 (Common Criteria) evaluation, an implementation of IEC 10164-8-95 can achieve an EAL4 rating for the audit component by satisfying the FAU_GEN and FAU_STG families.
Compliance and Certification Notes
Claiming compliance with IEC 10164-8-95 requires that a systems management implementation satisfies the mandatory and conditional requirements defined in the conformance clauses of the standard. The following table summarizes the requirement categories:
| Requirement Level | Description | Example |
|---|---|---|
| Mandatory | Must be supported for conformance | Support for AUDIT-TRAIL-CREATE and SECURITY-EVENT-REPORT services |
| Optional | May be supported; if claimed, must conform to the specification | Support for AUDIT-TRAIL-SET |
| Conditional | Required only if certain conditions are met | Support for AUDIT-RECORD-DISCARD when dynamic storage management is implemented |
| Mandatory for certain profiles | Required only when the implementation profile includes the functional unit | Security Audit functional unit requires SECURITY-EVENT-REPORT |
Non‑compliance risk: Skipping the mandatory audit trail management services (e.g., AUDIT-TRAIL-SUSPEND) can lead to audit record gaps that make the system vulnerable to undetected intrusions. Regulators often require full support for suspend/resume in certified environments.
Implementation Conformance Statement (ICS)
Suppliers should provide an Implementation Conformance Statement (ICS) that lists which functional units, services, and managed object classes are supported. This document is essential for interoperability testing and certification under programs like ISO/IEC 9646 conformance testing. The ICS also specifies which optional features are included and any limitations (e.g., maximum audit trail size).
Testing and Certification
Conformance testing can be performed using role‑based test harnesses that simulate a managing system and a managed agent. The test suite validates the correct exchange of CMIP requests and responses for each service defined in IEC 10164-8-95. Interoperability events, such as those organized by the OSIone consortium, provide practical verification that multiple vendors’ implementations can exchange audit trail data correctly.
Q: How does IEC 10164-8-95 differ from the earlier 1995 edition?
A: The 2003 edition clarifies the use of discriminators, adds the ability to include additional information in audit records, and aligns its ASN.1 definitions with the revised OSI management standards (e.g., ISO/IEC 10165-1). It also deprecates the use of implicit context names in favor of explicit identifiers for better traceability.
A: The 2003 edition clarifies the use of discriminators, adds the ability to include additional information in audit records, and aligns its ASN.1 definitions with the revised OSI management standards (e.g., ISO/IEC 10165-1). It also deprecates the use of implicit context names in favor of explicit identifiers for better traceability.
Q: Can IEC 10164-8-95 be used with SNMP-based network management?
A: The standard is designed specifically for the OSI systems management framework (CMIP/CMIS). However, a mapping to SNMP via SMI and MIBs is possible but not standardized in this document. Some proprietary gateways translate audit records from CMIP to SNMP traps, but such translations are outside the scope of IEC 10164-8-95.
A: The standard is designed specifically for the OSI systems management framework (CMIP/CMIS). However, a mapping to SNMP via SMI and MIBs is possible but not standardized in this document. Some proprietary gateways translate audit records from CMIP to SNMP traps, but such translations are outside the scope of IEC 10164-8-95.
Q: Is compliance with IEC 10164-8-95 mandatory for OSI systems?
A: The standard itself does not require mandatory adoption. However, if an organization or procurement specification calls for “security audit support” in an OSI management environment, compliance with ISO/IEC 10164-8 (which is technically identical to this standard) is typically required. Sectors such as telecommunications (ITU-T) and defense often mandate its use in system management profiles.
A: The standard itself does not require mandatory adoption. However, if an organization or procurement specification calls for “security audit support” in an OSI management environment, compliance with ISO/IEC 10164-8 (which is technically identical to this standard) is typically required. Sectors such as telecommunications (ITU-T) and defense often mandate its use in system management profiles.
Q: What are typical real‑world applications?
A: IEC 10164-8-95 is used in carrier‑grade network management systems, secure government networks, and SCADA/energy sector management systems that rely on the OSI stack. It enables centralized audit logging that can feed into Security Information and Event Management (SIEM) platforms after protocol translation, ensuring compliance with regulations like NIST SP 800-53.
A: IEC 10164-8-95 is used in carrier‑grade network management systems, secure government networks, and SCADA/energy sector management systems that rely on the OSI stack. It enables centralized audit logging that can feed into Security Information and Event Management (SIEM) platforms after protocol translation, ensuring compliance with regulations like NIST SP 800-53.
The standard reflects the maturity of the OSI management framework, providing a robust, extensible, and interoperable mechanism for security auditing. Although the industry has largely moved toward IP-based management protocols, many legacy and high‑security environments still rely on IEC 10164-8-95 for its well‑defined audit data model and strong conformance requirements. System architects should evaluate the audit trail function as part of a layered security management strategy, especially where standards compliance is mandated by contract or regulation.
Published in compliance with the 2026 editorial guidelines for international technical standards documentation.