diff --git a/source/standards/logging.html.md.erb b/source/standards/logging.html.md.erb
index 2900c4ce..4a8670d9 100644
--- a/source/standards/logging.html.md.erb
+++ b/source/standards/logging.html.md.erb
@@ -14,6 +14,10 @@ Use [Splunk] to store and query infrastructure, application and audit logs.
 Splunk is a cloud-based SaaS tool for short and long-term storage,
 visualisation, alerting, and reporting.
 
+Your product should have a proportionate design for short and long term storage of logs and ensuring the Confidentiality, Integrity, and Availability of logs.
+
+The NCSC Cyber Assessment Framework, which GDS must comply with, has an entire category dedicated to [Security Monitoring].
+
 ### Logit deprecation notice
 
 The shared GDS [Logit] account can still be used for existing environments;
@@ -34,8 +38,8 @@ queryable store. Practical retention periods for short-term queryable logs are:
 * no more than 30 days production environments
 
 You should consider storing security and audit events for up to a year, this is
-because the average MTTD (Mean Time to Detect) is 206 days (over 6 months) to
-identify a breach, according to a [2019 IBM data breach study].
+because the average MTTD (Mean Time to Detect) is 204 days (over 6 months) to
+identify a breach, according to a [2023 IBM data breach study].
 
 Your product may have legal or other requirements determining how long you
 should store logs. For example, the
@@ -128,7 +132,7 @@ drain logs into it from your app.
 [archive data to your own S3 bucket]: https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage?ref=hk#Configure_self_storage_locations
 [Splunk CIM (Common Information Model)]: https://docs.splunk.com/Documentation/CIM/latest/User/Overview
 [`Web` CIM]: https://docs.splunk.com/Documentation/CIM/latest/User/Web
-[2019 IBM data breach study]: https://newsroom.ibm.com/2019-07-23-IBM-Study-Shows-Data-Breach-Costs-on-the-Rise-Financial-Impact-Felt-for-Years
+[2023 IBM data breach study]: https://www.ibm.com/account/reg/us-en/signup?formid=urx-52258
 [specific field extracts]: https://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata
 [broker documentation]: https://github.com/alphagov/tech-ops/blob/master/cyber-security/components/csls-splunk-broker/docs/user-guide.md
 [Centralised Security Logging Service (CSLS)]: https://github.com/alphagov/centralised-security-logging-service
@@ -144,3 +148,5 @@ drain logs into it from your app.
 [Fluentd to HEC]: https://github.com/splunk/fluent-plugin-splunk-hec
 [personally identifiable information (PII)]: https://en.wikipedia.org/wiki/Personal_data
 [such as in Ruby on Rails]: https://guides.rubyonrails.org/action_controller_overview.html#log-filtering
+[Security Monitoring]: https://www.ncsc.gov.uk/collection/caf/cyber-assessment-framework/caf-objective-c-detecting-cyber-security-events
+