ISO 27001:2022 Annex A Control 5.28: Collection of Evidence
Annex A control 5.28 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 16.1.7
Organisations must manage evidence in an orderly and robust way, throughout the reporting and resolution of IS incidents. Annex 5.28 offers a framework for organisations on how to achieve this, highlighting the importance of collecting accurate evidence in a timely manner. This informs everything from disciplinary to legal proceedings.
Control 5.28 covers the internal technical issues relating to information security, as well as the explicitly legal and disciplinary consequences of collecting incident evidence.
Understanding control 5.28
Evidence collection procedures should be created with a clear intention to fulfil the organisation’s disciplinary and/or legal obligations, according to control 5.28. Evidence collection should focus on obligations across a wide range of legal jurisdictions and regulatory environments. This allows several distinct external bodies to analyse incidents to the same degree.
Bodies should explore a variety of factors for each incident, according to control 5.28, including devices and assets, device status (including login attempts and power status), and storage media.
Control 5.28 also stipulates the importance of organisations demonstrating:
- Complete, unaltered records of their incidents.
- Electronic evidence where applicable.
- Evidence collected by internal systems and ICT platforms.
- Evidence collected by individuals who hold the necessary qualifications and certifications in their role.
- The legal entitlement to collect digital evidence, where necessary.
Organisations must not make assumptions about the relevance of the evidence being collected. Control 5.28 encourages organisations to seek legal advice and/or law enforcement assistance as soon as possible, in order to avoid accidental or intentional destruction of incident-related evidence.
How has the control changed since 2013?
Replacing ISO 27001:2013 Annex A control 16.1.7, The 2022 version of the control adheres to the same principles, with four core additions. These are:
- Ensuring evidence is not tampered with.
- Ensuring ICT systems function correctly during the collection process.
- Collecting certain digital evidence legally.
- Electronic evidence being identical to its physical counterpart.
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.