ISO 27001:2022 Annex A Control 5.28

Explaining Annex A Control 5.28 Collection of evidence

ISO 27001 Annex A Control 5.28, "Collection of Evidence," outlines the need for organizations to establish and implement procedures for identifying, collecting, acquiring, and preserving evidence related to information security events.

Annex A Control 5.28

Control Type

  • Corrective

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Detect
  • Respond

Operational Capabilities

  • Information Security Event Management

Security Domains

  • Defence

Objective of Control 5.28

The primary objective of Control 5.28 is to ensure consistent and effective management of evidence related to information security incidents. This involves developing internal procedures that align with legal standards across relevant jurisdictions, thereby maximizing the chances of evidence admission in disciplinary and legal proceedings.

Purpose of Control 5.28

The purpose of this control is to ensure that evidence related to information security incidents is managed in a way that supports its admissibility in legal proceedings or disciplinary actions. This includes creating procedures that prevent evidence tampering, maintain its originality, and document the chain of custody. The control also seeks to prevent accidental destruction or loss of evidence, ensuring that your organization can act swiftly and effectively when incidents occur.

Procedures for Evidence Collection and Preservation

Implementing Control 5.28 effectively requires structured procedures covering four key areas:

1. Identification of Evidence

  • Recognize and classify potential evidence related to security events.
  • Determine the type of data involved, including logs, emails, system records, and network activity.
  • Assess whether evidence is digital (e.g., forensic images, access logs) or physical (e.g., printed documents, hardware devices).

2. Collection of Evidence

  • Gather evidence systematically to maintain its integrity and credibility.
  • Use forensic tools to extract digital evidence while ensuring no modifications are made.
  • Implement access control measures to prevent unauthorized modifications or deletions.

3. Acquisition of Evidence

  • Create forensic copies of digital evidence to prevent tampering with original data.
  • Document each step of the acquisition process, including timestamps, involved personnel, and methods used.
  • Utilize cryptographic hashing (e.g., SHA-256) to validate that evidence remains unchanged.

4. Preservation of Evidence

  • Store evidence securely with proper access restrictions and encryption.
  • Maintain a clear chain of custody to track who accessed or handled the evidence at each stage.
  • Implement version control and backup mechanisms to ensure long-term availability and integrity.

Legal and Regulatory Considerations

Your organization must align its evidence management practices with applicable legal and regulatory frameworks. Considerations include:

  • Jurisdictional Compliance – Different countries have varying laws regarding digital evidence handling (e.g., GDPR in Europe, HIPAA in the U.S.).
  • Forensic Soundness – Adhere to ISO/IEC 27037 standards to ensure that digital evidence collection methods meet legal requirements.
  • Admissibility Standards – Ensure evidence is complete, untampered, and documented for legal acceptability.
  • Early Legal Involvement – Engage legal experts or law enforcement at the beginning of an investigation to ensure compliance with jurisdictional laws.

Challenges in Evidence Management

Overcoming challenges requires a combination of training, technology investment, and clear procedural guidelines. Your organization may encounter the following challenges when implementing this control:

  • Timeliness – Delays in evidence collection can result in data loss or corruption.
  • Jurisdictional Differences – Digital evidence may cross multiple legal jurisdictions, requiring compliance with various legal frameworks.
  • Technical Complexity – The variety of storage media and data formats necessitates specialized forensic knowledge.
  • Resource Constraints – Smaller organizations may lack the expertise or tools required for proper evidence collection.

Best Practices for Implementing Control 5.28

To ensure effective evidence collection, your organization should adopt the following best practices:

  • Develop a Clear Evidence Collection Policy
    Define roles and responsibilities for evidence management.
    Establish procedures for handling different types of digital and physical evidence.

  • Train Security and IT Teams
    Conduct regular training on forensic techniques and legal compliance.
    Ensure employees are aware of proper evidence handling procedures.

  • Document Every Action Taken
    Maintain audit logs for all evidence collection and handling activities.
    Use a chain of custody document to track who accessed the evidence and when.

  • Leverage Certified Tools
    Use forensic tools (e.g., FTK Imager, EnCase) that are legally recognized for digital investigations.
    Apply cryptographic hashing to verify evidence integrity.

  • Engage Legal and Law Enforcement Early
    Seek legal advice on evidence collection practices.
    Establish partnerships with cybersecurity law enforcement agencies.

Related ISO 27001 Controls

Control 5.28 is closely linked to several other controls in ISO 27001:

  • Control 5.24 Information Security Incident Management Planning and Preparation – Establishes the foundation for incident response.
  • Control 5.25 Assessment and Decision on Information Security Events – Helps determine whether evidence collection is necessary.
  • Control 5.26 Response to Information Security Incidents – Guides organizations in responding to security incidents, including evidence handling.
  • Control 5.27 Learning from Information Security Incidents – Encourages organizations to improve security measures based on previous incidents.

Supporting Templates for Control 5.28

Your organization can benefit from using specific templates to implement Control 5.28 effectively:

  • Evidence Collection Procedure Template: Standardizes the process for handling evidence during security events.
  • Chain of Custody Template: Ensures a clear record of evidence handling and transfer.
  • Incident Response Checklist: Guides your organization through critical actions during security incidents.
Control 5.27
ISO 27001 overview
Control 5.29