ISO 27001 Annex A 5.28

Evidence is fragile - collect it carefully or lose the option to act on it.

ISO 27001 Annex A 5.28 - Collection of Evidence

Evidence collected during an incident may need to support disciplinary action, legal proceedings, regulatory investigation or insurance claims. If the evidence has been mishandled, it can become unusable. The control requires the organisation to have procedures in place so that evidence is identified, collected and preserved in a way that maintains its integrity and admissibility.

The procedures need to cover the practical steps - what to capture, how to capture it, who is authorised to do so, how the chain of custody is recorded, where evidence is stored and how access to it is controlled. For digital evidence the procedures should reflect forensic principles such as preserving original media, working from copies, and documenting every step.

Most organisations do not have in-house forensic capability for serious incidents. The procedures should identify when external forensic support would be engaged, who can authorise the engagement and what immediate steps to take to preserve evidence until they arrive. Even basic preservation - not turning the affected system off, isolating it from the network, taking memory captures - has significant value.

The key thing with evidence is to think about it before the moment when you need it. Once an incident is in flight, decisions get made under pressure and well-meant actions like restoring from backup can wipe out the evidence trail. Even a short procedure covering the basic steps - stop, isolate, capture, document - will avoid most of the common mistakes.

Practical Compliance Guidance

Evidence collection arrangements form part of the incident management process described in the IMS1 manual at section 8.2. The legal register holds the relevant legal references and the incident form documents the evidence preserved during a response.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-Q109 Information Security Incident	The incident record. Use the form to log evidence collected, who handled it, where it is stored and the chain of custody, alongside the wider incident response actions.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need in-house forensic expertise?

Most organisations do not. What you need is awareness of the basic preservation steps and a route to external forensic support for serious incidents. The procedures should identify when to engage external help and what to do in the meantime to keep evidence intact.

What is chain of custody?

A documented record showing who handled the evidence, when, what they did with it, and where it was stored. The chain of custody supports the credibility of the evidence by demonstrating it has not been tampered with. Each change of hands should be recorded with date, time and signature.

How long should evidence be retained?

For at least the period in which it might be needed for legal, regulatory or contractual purposes. For most incidents that means several years. The retention period should be set with reference to the legal register and any specific regulatory requirements applying to the organisation.

Further Resources