Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.”
Plain-language meaning
The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.
Why this matters
Poor evidence handling can destroy legal, regulatory, disciplinary, insurance, or root-cause value. Evidence must be protected from alteration, loss, contamination, and unauthorized access.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
- Define when evidence collection is triggered, including suspected legal, regulatory, disciplinary, insurance, supplier, or serious security cases.
- Document how to identify, collect, acquire, preserve, label, store, transfer, and dispose of evidence.
- Maintain chain of custody showing who handled evidence, when, why, and under what controls.
- Use forensically sound copies for investigation where original evidence may be needed later.
- Restrict evidence storage so unauthorized people cannot access, modify, or destroy it.
- Align procedures with applicable legal, regulatory, and forensic requirements; verify official requirements for the jurisdiction and case type.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that evidence procedures exist, are activated early enough, protect chain of custody, restrict access, and preserve quality and completeness.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Evidence procedure covers identification, collection, acquisition, preservation, storage, access, transfer, and disposal | Shows the process is defined, operated, or reviewed |
| Chain-of-custody logs are complete and timestamped | Shows the process is defined, operated, or reviewed |
| Evidence storage is access-controlled and tamper-resistant | Shows the process is defined, operated, or reviewed |
| Forensic copies are used where original evidence must be preserved | Shows the process is defined, operated, or reviewed |
| Evidence collection starts early enough to avoid contamination or destruction | Shows the process is defined, operated, or reviewed |
Strong evidence
- Evidence procedure covers identification, collection, acquisition, preservation, storage, access, transfer, and disposal.
- Chain-of-custody logs are complete and timestamped.
- Evidence storage is access-controlled and tamper-resistant.
- Forensic copies are used where original evidence must be preserved.
- Evidence collection starts early enough to avoid contamination or destruction.
Weak evidence
- Screenshots or logs are saved without custody records.
- Evidence is stored in shared folders with broad access.
- Original systems are modified before evidence is captured.
- No trigger criteria for evidence collection.
- No record of who handled evidence.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Evidence collection begins too late. | Logs, volatile data, and context can be lost |
| Responders overwrite logs during recovery. | Evidence integrity and completeness are damaged |
| No chain of custody. | The organization cannot prove who handled evidence or whether it was altered |
| Evidence access is not restricted. | Unauthorized access, modification, or destruction can occur |
| Forensic work is performed on originals instead of copies. | Original evidence may be altered or challenged |
| Procedures ignore jurisdictional or legal admissibility requirements. | Evidence may be unusable in formal proceedings |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.28 is broader than legal proceedings, but legal defensibility is a major driver.
- Evidence preservation starts early, not after the incident is closed.
- Chain of custody proves control over evidence handling.
- Forensic copies protect original evidence from alteration.
- Evidence quality and completeness matter, not only existence.
Related controls and concepts
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.27 Learning from Information Security Incidents
- Internal Audit
- Incident Management Plan
- Evidence Request List
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.28 requires a controlled part of the incident-management lifecycle: The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable. In practice, this means defined criteria, assigned ownership, recorded decisions, operating evidence, and improvement links back into the ISMS.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Incident management
- Audit
- Evidence
- Forensics
- Chain of custody
Note Metadata
Aliases: A.5.28, Collection of Evidence
Source: 02 Annex A Organizational Controls/A.5.28 Collection of Evidence.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
8
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Internal Audit
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- A.5 Organizational Controls MOC
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.6 - Working in Secure Areas
- A.7 Physical Controls MOC
- A.5.28 Audit Evidence Pack
- AQ-ISO27001-A.5.28 Collection of Evidence
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.4 - Access to Source Code
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.28 Collection of Evidence
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-011 - Incident Management Lifecycle
- ISO 27002 Annex A Control Interpretation Map
- A.5.28 Audit Checklist
- Evidence Collection and Chain of Custody Log
- Template - Evidence Request List
- Incident Management Plan
- Log Integrity and Access Review Checklist
- Annex A Controls MOC