UnixTime

Research Note

ISO 27001 A.5.28 - Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.”

Plain-language meaning

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

Why this matters

Poor evidence handling can destroy legal, regulatory, disciplinary, insurance, or root-cause value. Evidence must be protected from alteration, loss, contamination, and unauthorized access.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

  1. Define when evidence collection is triggered, including suspected legal, regulatory, disciplinary, insurance, supplier, or serious security cases.
  2. Document how to identify, collect, acquire, preserve, label, store, transfer, and dispose of evidence.
  3. Maintain chain of custody showing who handled evidence, when, why, and under what controls.
  4. Use forensically sound copies for investigation where original evidence may be needed later.
  5. Restrict evidence storage so unauthorized people cannot access, modify, or destroy it.
  6. Align procedures with applicable legal, regulatory, and forensic requirements; verify official requirements for the jurisdiction and case type.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that evidence procedures exist, are activated early enough, protect chain of custody, restrict access, and preserve quality and completeness.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Evidence procedure covers identification, collection, acquisition, preservation, storage, access, transfer, and disposal Shows the process is defined, operated, or reviewed
Chain-of-custody logs are complete and timestamped Shows the process is defined, operated, or reviewed
Evidence storage is access-controlled and tamper-resistant Shows the process is defined, operated, or reviewed
Forensic copies are used where original evidence must be preserved Shows the process is defined, operated, or reviewed
Evidence collection starts early enough to avoid contamination or destruction Shows the process is defined, operated, or reviewed

Strong evidence

  • Evidence procedure covers identification, collection, acquisition, preservation, storage, access, transfer, and disposal.
  • Chain-of-custody logs are complete and timestamped.
  • Evidence storage is access-controlled and tamper-resistant.
  • Forensic copies are used where original evidence must be preserved.
  • Evidence collection starts early enough to avoid contamination or destruction.

Weak evidence

  • Screenshots or logs are saved without custody records.
  • Evidence is stored in shared folders with broad access.
  • Original systems are modified before evidence is captured.
  • No trigger criteria for evidence collection.
  • No record of who handled evidence.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Evidence collection begins too late. Logs, volatile data, and context can be lost
Responders overwrite logs during recovery. Evidence integrity and completeness are damaged
No chain of custody. The organization cannot prove who handled evidence or whether it was altered
Evidence access is not restricted. Unauthorized access, modification, or destruction can occur
Forensic work is performed on originals instead of copies. Original evidence may be altered or challenged
Procedures ignore jurisdictional or legal admissibility requirements. Evidence may be unusable in formal proceedings

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • A.5.28 is broader than legal proceedings, but legal defensibility is a major driver.
  • Evidence preservation starts early, not after the incident is closed.
  • Chain of custody proves control over evidence handling.
  • Forensic copies protect original evidence from alteration.
  • Evidence quality and completeness matter, not only existence.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.28 requires a controlled part of the incident-management lifecycle: The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable. In practice, this means defined criteria, assigned ownership, recorded decisions, operating evidence, and improvement links back into the ISMS.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Incident management
  • Audit
  • Evidence
  • Forensics
  • Chain of custody

Note Metadata

Aliases: A.5.28, Collection of Evidence

Source: 02 Annex A Organizational Controls/A.5.28 Collection of Evidence.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

8

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.