ISO 27001 A.5.28: Collection of evidence
What This Control Requires
The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
In Plain Language
If you ever need to take an insider threat to court or demonstrate to a regulator exactly what happened during a breach, the quality of your evidence will make or break the case. Poorly collected evidence gets thrown out.
This control is about having defined procedures for handling both digital and physical evidence during security incidents. The key principle is forensic integrity - you need to collect evidence in a way that does not alter the original data, maintain a documented chain of custody, and store it securely against tampering.
The scope covers all evidence types: log files, disk images, network captures, memory dumps, physical documents, hardware, access records, emails, and screenshots. Your procedures also need to account for jurisdictional differences in evidence handling requirements if you operate across multiple locations.
How to Implement
Write evidence handling procedures covering the full lifecycle: identification, collection, preservation, analysis, presentation, and disposal. Align them with legal requirements in every jurisdiction you operate in.
For identification, define what evidence to collect for different incident types. Create checklists for common scenarios. Train responders to recognise and protect potential evidence sources from the moment they arrive at the scene.
For digital evidence collection, follow forensically sound methods. Image storage media rather than examining originals. Use write-blockers when imaging drives. Capture volatile evidence (memory, running processes, network connections) before powering anything down. Verify images with cryptographic hashes. Document everything: tools used, hash values, timestamps. Keep a validated forensic toolkit ready to go.
Implement chain of custody for all evidence. Use forms that record: what the evidence is, who collected it, when and where, how it has been stored, and every person who has handled it. Store evidence in a secure location with access controls and logging.
Protect log data that could serve as evidence. Centralise logging with tamper-evident controls. Set retention periods that meet both operational and legal needs. Use NTP for time synchronisation across all systems so timestamps are reliable. Protect log integrity through read-only storage, digital signing, or write-once media.
Line up external forensic specialists in advance for major incidents. Define when to bring them in - typically when there is potential criminal activity or a large-scale data breach. Make sure your internal procedures do not conflict with what external specialists or law enforcement will need.
Evidence Your Auditor Will Request
- Documented evidence handling procedures covering identification, collection, and preservation
- Chain of custody forms and completed examples from recent incidents
- Forensic toolkit documentation and tool validation records
- Centralized logging configuration with integrity and retention controls
- Training records for personnel involved in evidence collection
Common Mistakes
- No documented evidence handling procedures exist
- Evidence is collected without maintaining chain of custody documentation
- Digital evidence is collected in a forensically unsound manner, altering original data
- Log data needed as evidence has been overwritten due to insufficient retention
- Personnel are not trained in proper evidence collection techniques
Related Controls Across Frameworks
Frequently Asked Questions
What is chain of custody and why is it important?
Do we need a dedicated forensic lab?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment