When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this when evidence related to an information security event may need to support investigation, legal action, regulatory response, disciplinary action, insurance, or formal root-cause analysis.
Evidence item
| Field | Value |
|---|---|
| Evidence ID | |
| Related event/incident | |
| Evidence type | |
| Source system/location | |
| Collection method | |
| Original preserved? | TBD |
| Forensic copy created? | TBD |
| Hash/checksum | |
| Storage location | |
| Access restriction |
Chain of custody
| Date/time | From | To | Action | Reason | Integrity check | Signature/approval |
|---|---|---|---|---|---|---|
Related notes
- Template
- Iso27001
- Evidence
- Forensics
Note Metadata
Aliases: Chain of Custody Log
Source: 90 Templates/Evidence Collection and Chain of Custody Log.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Related Notes
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.5.33 - Protection of Records
- A.5.28 Audit Evidence Pack
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.28 Collection of Evidence
- ISO 27002 Annex A Control Interpretation Map
- Template - Evidence Request List
- Incident Response Record
- Templates MOC