Implementing ISO 27001 Annex A 5.28 is the formal process of identifying, collecting, and preserving forensic data to support disciplinary or legal actions. The primary implementation requirement necessitates strict chain-of-custody procedures and cryptographic hashing, delivering the business benefit of legally admissible evidence that withstands judicial scrutiny during security investigations.

ISO 27001 Annex A Collection of evidence Implementation Checklist

Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.28. Compliance with this control is not about uploading screenshots to a portal; it requires forensically sound procedures that ensure evidence is admissible in disciplinary or legal proceedings.

1. Establish an Evidence Identification Strategy

Control Requirement: Procedures must exist to identify what constitutes evidence during a security event.

Required Implementation Step: Create a “First Responder Guide” that explicitly lists evidence sources beyond just server logs. You must physically document potential sources including volatile memory (RAM), network packet captures (PCAP), firewall logs, and CCTV footage before any recovery actions are taken.

Minimum Requirement: A documented “Evidence Scope” list created immediately upon incident declaration.

2. Initiate the Chain of Custody (CoC)

Control Requirement: The integrity and history of evidence handling must be proven.

Required Implementation Step: Print a physical Chain of Custody form or create a digitally signed equivalent that tracks every single interaction with the evidence. You must record who collected it, where it was stored, who accessed it, and the exact time of transfer; a simple Jira ticket comment is legally insufficient.

Minimum Requirement: A completed CoC log with no time gaps, signed by the evidence handler.

3. Capture Volatile Evidence First

Control Requirement: Evidence that is lost on power-down must be prioritised.

Required Implementation Step: Use a command-line forensic tool (e.g., FTK Imager or specific Linux commands) to dump the RAM before shutting down or rebooting the machine. You must capture active network connections and running processes, as this data vanishes the moment you follow a generic “reboot to fix” instruction.

Minimum Requirement: A raw memory dump file saved to external, sterile media.

4. Create Bit-for-Bit Forensic Images

Control Requirement: Original media must remain unaltered during analysis.

Required Implementation Step: Connect a write-blocker to the compromised drive and create a full disk image (E01 or dd format). Do not copy and paste files using Windows Explorer, as this alters file metadata (access times) and destroys forensic integrity.

Minimum Requirement: A verified forensic image file accompanied by a successful verification log.

5. Generate Cryptographic Hashes

Control Requirement: The integrity of the evidence must be verifiable at any later date.

Required Implementation Step: Immediately calculate the SHA-256 hash of the original evidence file or disk image. Record this hash in your Chain of Custody document; if the hash changes by even one bit in the future, the evidence is considered tampered with and useless.

Minimum Requirement: A text file containing the filename and its corresponding SHA-256 hash string.

6. Secure Physical Storage of Media

Control Requirement: Evidence must be protected from unauthorised access and physical damage.

Required Implementation Step: Place hard drives, USBs, or printed logs into a tamper-evident bag. Lock this bag in a physical safe or a restricted-access server room cabinet to which only authorised forensic staff hold the key.

Minimum Requirement: A photo of the sealed evidence bag with the unique case reference number visible.

7. Work Only on Forensic Copies

Control Requirement: The original evidence must be preserved as the “Master” copy.

Required Implementation Step: Create a secondary copy of the forensic image for analysis purposes. Never mount or open the original evidence drive for investigation; ensure the Master copy remains locked away to preserve the chain of custody.

Minimum Requirement: A procedural check confirming analysis was performed on “Copy B”, leaving “Master A” untouched.

8. Document the Collection Environment

Control Requirement: Contextual information surrounding the evidence must be recorded.

Required Implementation Step: Take photographs of the physical setup, including cable connections, screen displays, and the location of the hardware. Manually note down the serial numbers and asset tags of the hardware from which evidence was pulled.

Minimum Requirement: A “Site Collection Report” including photos and a hardware inventory list.

9. Secure Transfer of Digital Evidence

Control Requirement: Evidence must not be intercepted or altered during transit.

Required Implementation Step: If sending evidence to external legal counsel or law enforcement, use encrypted physical drives or secure, encrypted file transfer protocols (SFTP) with specific access credentials. Do not email sensitive logs or evidence files.

Minimum Requirement: A transfer receipt or log showing the handover method and confirmation of receipt.

10. Audit and Review Evidence Retention

Control Requirement: Evidence must be retained only for as long as legally or operationally necessary.

Required Implementation Step: Set a calendar reminder to review held evidence against your data retention policy and local laws (e.g., GDPR). Securely wipe or physically destroy evidence drives once the legal hold is lifted, and document the destruction.

Minimum Requirement: A “Certificate of Destruction” or a log entry confirming secure deletion of the evidence data.

ISO 27001 Annex A 5.28 SaaS / GRC Platform Implementation Failure Checklist

How GRC Tools and SaaS Platforms Fail to Meet the Reality of Annex A 5.28 Compliance
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Chain of Custody	A text field in a ticket saying “John grabbed the laptop”.	Courts require a signed CoC form detailing every second of possession and storage location.
Evidence Integrity	Uploading a screenshot or log file to a cloud portal.	Uploading changes metadata. Real compliance requires SHA-256 hashed forensic images.
Volatile Memory	No feature exists; SaaS tools assume you just want document storage.	Without a RAM dump, you lose encryption keys and active malware indicators.
Write Protection	SaaS tools cannot physically block writes to a hard drive.	You need physical hardware write-blockers to prevent Windows from altering the disk on connection.
Analysis Safety	Viewing the log file directly in the GRC browser viewer.	You must never analyse the original; you only analyse a verified copy to prevent spoilation.
Secure Storage	Storing evidence in a multi-tenant cloud bucket (S3).	Sensitive forensic data often requires offline, physically secured storage (a safe), not the cloud.
Identification	A dropdown list of “Incident Types”.	Real identification involves mapping physical ports, cables, and hidden partitions.
Destruction	Deleting the ticket from the dashboard.	Forensic drives must be securely wiped (DoD standard) or shredded, not just “deleted”.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.