All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Collection of evidence

Annex A control 5.28 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 16.1.7

Organisations must manage evidence in an orderly and robust way, throughout the reporting and resolution of IS incidents. Annex 5.28 offers a framework for organisations on how to achieve this, highlighting the importance of collecting accurate evidence in a timely manner. This informs everything from disciplinary to legal proceedings.

Control 5.28 covers the internal technical issues relating to information security, as well as the explicitly legal and disciplinary consequences of collecting incident evidence.

Understanding control 5.28

Evidence collection procedures should be created with a clear intention to fulfil the organisation’s disciplinary and/or legal obligations, according to control 5.28. Evidence collection should focus on obligations across a wide range of legal jurisdictions and regulatory environments. This allows several distinct external bodies to analyse incidents to the same degree.

Bodies should explore a variety of factors for each incident, according to control 5.28, including devices and assets, device status (including login attempts and power status), and storage media.

Control 5.28 also stipulates the importance of organisations demonstrating:

  • Complete, unaltered records of their incidents.
  • Electronic evidence where applicable.
  • Evidence collected by internal systems and ICT platforms.
  • Evidence collected by individuals who hold the necessary qualifications and certifications in their role.
  • The legal entitlement to collect digital evidence, where necessary.

Organisations must not make assumptions about the relevance of the evidence being collected. Control 5.28 encourages organisations to seek legal advice and/or law enforcement assistance as soon as possible, in order to avoid accidental or intentional destruction of incident-related evidence.

How has the control changed since 2013?

Replacing ISO 27001:2013 Annex A control 16.1.7, The 2022 version of the control adheres to the same principles, with four core additions. These are:

  • Ensuring evidence is not tampered with.
  • Ensuring ICT systems function correctly during the collection process.
  • Collecting certain digital evidence legally.
  • Electronic evidence being identical to its physical counterpart.