According to A.1.3, which statement about logging is correct?

• A. Logs are active by default
• B. Logs are optional and can be turned off
• C. Logs locations are not communicated
• D. Logs are never available for review by the owning entity

Answer: (A)

Logging must be enabled by default to ensure continuous visibility into system activity. When logging is on by default, every action from startup is recorded, which is essential for detecting unauthorized access, reconstructing events during an investigation, and meeting PCI DSS expectations for traceability and monitoring. Allowing logging to be optional or turnable off would create blind spots, making it harder to detect incidents or prove compliance. Claims that log locations aren’t communicated or that logs are never available for review conflict with the need for centralized, accessible, and reviewable logs by the owning entity. For these reasons, the statement that logs are active by default best reflects the requirement.