1. Framework FAQs

ISO 27001: 2022 A.5.28 Collection of evidence

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.28 Collection of evidence.

ISO 27001: 2022 Control Description

The organisation shall establish and implement procedures for the identification, collection, acquisition, and preservation of evidence related to information security events.

Purpose

To ensure consistent and effective management of evidence related to information security incidents for disciplinary and legal actions.

Guidance on implementation

Internal procedures should be developed and adhered to when handling evidence related to information security events for disciplinary and legal purposes. The requirements of different jurisdictions should be considered to maximise the chances of evidence being admissible across the relevant jurisdictions.

In general, these procedures for managing evidence should provide instructions for the identification, collection, acquisition, and preservation of evidence in accordance with different types of storage media, devices, and the status of devices (i.e. powered on or off).

Evidence typically needs to be collected in a manner that is admissible in the appropriate national courts of law or another disciplinary forum. It should be possible to demonstrate that:

a) records are complete and have not been tampered with in any way;

b) copies of electronic evidence are demonstrably identical to the originals;

c) any information system from which evidence has been gathered was operating correctly at the time the evidence was recorded.

Where available, certification or other relevant qualifications for personnel and tools should be sought to enhance the credibility of the preserved evidence.

Digital evidence can cross organisational or jurisdictional boundaries. In such cases, it should be ensured that the organisation is legally entitled to collect the required information as digital evidence.

When an information security event is first detected, it is not always immediately apparent whether or not it will result in legal action. Therefore, there is a risk that necessary evidence may be destroyed, either intentionally or accidentally, before the seriousness of the incident is realised. It is advisable to involve legal counsel or law enforcement early in any potential legal action and seek advice on the evidence required.