ISO 27001 Control 5.28: Collection of Evidence

A guide on how to meet the requirements of ISO 27001 Control 5.28: Collection of Evidence

Establishing Procedures for Evidence Collection in Information Security

ISO 27001 Control 5.28: Collection of Evidence

Organisations face increasing risks from information security events. To ensure that such incidents are managed effectively, it is crucial to have robust procedures in place for identifying, collecting, acquiring, and preserving evidence, which is where ISO 27001 control 5.28 comes in. These measures are essential for maintaining integrity and supporting disciplinary or legal actions when required.

The below article outlines the requirements to meet ISO 27001 control 5.28 “Collection of Evidence.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

Purpose of Evidence Collection Procedures

The primary goal of implementing evidence collection procedures is to:

  • Provide a consistent framework for managing evidence related to information security incidents.
  • Ensure evidence is admissible in disciplinary or legal actions across relevant jurisdictions.
  • Support investigations and post-incident analysis to identify vulnerabilities and improve security controls.

Key Requirements for Evidence Management

To handle evidence effectively, organisations should adhere to the following guidelines:

1. Identification and Collection

  • Establish processes to identify relevant evidence promptly after an incident is detected.
  • Use approved methods for collecting evidence based on the type of storage media or devices involved.
  • Ensure that evidence collection does not compromise the integrity of the data.

2. Preservation and Documentation

  • Maintain evidence in its original state by implementing appropriate storage measures.
  • Document the entire evidence collection process, including:
    • Time and date of collection.
    • Details of the devices or media involved.
    • Methods and tools used for acquisition.

3. Verification and Integrity

  • Ensure that records are complete and untampered.
  • Verify that copies of electronic evidence are identical to the originals.
  • Maintain proof that information systems were operating correctly when evidence was recorded.

4. Certification and Competence

  • Employ certified personnel or tools for evidence handling to strengthen credibility.
  • Provide ongoing training to ensure staff are equipped with the latest skills and knowledge in evidence management.

Procedures for Evidence Collection

Organisations should develop detailed procedures tailored to their operational context. These procedures should:

  • Address the specific requirements for handling various types of storage media and devices, whether powered on or off.
  • Include instructions for evidence acquisition in compliance with national and international legal frameworks.
  • Incorporate safeguards to prevent accidental or intentional destruction of evidence.

Challenges in Evidence Management

1. Jurisdictional Boundaries

Digital evidence often spans organisational or national boundaries, creating challenges in:

  • Determining entitlement to collect data.
  • Ensuring admissibility in multiple legal systems.

2. Early Evidence Preservation

At the onset of an incident, its severity may not be apparent, increasing the risk of evidence being destroyed. In such cases:

  • Legal advisors or law enforcement should be consulted promptly.
  • Proactive steps should be taken to secure potential evidence.

Best Practices for Evidence Management

  • Collaborate with Legal Advisors: Seek guidance on evidence requirements for potential legal or disciplinary actions.
  • Use Certified Tools: Leverage tools and technologies certified for evidence collection and preservation.
  • Maintain Detailed Logs: Keep comprehensive records of all activities related to evidence handling.
  • Conduct Regular Training: Ensure staff are well-versed in evidence collection procedures and legal implications.

Standards and Frameworks

Organisations can refer to established standards for evidence management, including:

  • ISO/IEC 27037: Guidance on identification, collection, acquisition, and preservation of digital evidence.
  • ISO/IEC 27050 Series: Recommendations for electronic discovery and processing of electronically stored information.

FAQs

What is the purpose of ISO 27001 Control 5.28: Collection of Evidence?

This control ensures that any evidence collected for investigative or legal purposes is handled in a secure, reliable, and legally admissible manner. It supports internal investigations, regulatory inquiries, disciplinary actions, or potential legal proceedings by preserving the integrity and authenticity of the evidence.

What types of situations require evidence collection?

Common scenarios include:
– Suspected policy breaches or insider threats
– Security incidents or data breaches
– Disciplinary investigations
– Regulatory audits or requests
– Legal disputes involving digital records or actions

How should evidence be collected to ensure it’s valid and admissible?

Evidence must be:
– Collected systematically and legally, following internal procedures
– Handled securely to prevent tampering or unauthorised access
– Documented clearly, including chain of custody, time, date, and method of collection
– Preserved in its original format wherever possible, or captured using forensically sound tools

Who is responsible for collecting and handling evidence?

Organisations should designate trained personnel—such as IT security staff, compliance officers, or digital forensic experts—to collect and preserve evidence. Others should not attempt to retrieve or alter potential evidence unless explicitly authorised and trained.

What policies or procedures support this control?

To implement this control effectively, organisations should develop and maintain:
– A digital evidence handling policy
– Incident response procedures that include evidence collection steps
– Chain of custody logs
– Staff training on identifying and reporting potential evidence

Conclusion

Effective evidence management is a cornerstone of robust information security practices. By implementing structured procedures and adhering to international standards, organisations can ensure the integrity of evidence, support investigations, and strengthen their overall security posture. Establishing these practices not only enhances incident response capabilities but also safeguards organisational interests in the face of evolving cyber threats.

Previous post

ISO 27001 Control 5.27: Learning From Information Security Incidents

NEXT post

ISO 27001 Control 5.29: Information Security During Disruption

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG