In this ultimate how to implement guide to ISO 27001 Annex A 5.28 Collection of Evidence, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A Collection of evidence Implementation Checklist
- 1. Establish an Evidence Identification Strategy
- 2. Initiate the Chain of Custody (CoC)
- 3. Capture Volatile Evidence First
- 4. Create Bit-for-Bit Forensic Images
- 5. Generate Cryptographic Hashes
- 6. Secure Physical Storage of Media
- 7. Work Only on Forensic Copies
- 8. Document the Collection Environment
- 9. Secure Transfer of Digital Evidence
- 10. Audit and Review Evidence Retention
- ISO 27001 Annex A 5.28 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.28 is the formal process of identifying, collecting, and preserving forensic data to support disciplinary or legal actions. The primary implementation requirement necessitates strict chain-of-custody procedures and cryptographic hashing, delivering the business benefit of legally admissible evidence that withstands judicial scrutiny during security investigations.
ISO 27001 Annex A Collection of evidence Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.28. Compliance with this control is not about uploading screenshots to a portal; it requires forensically sound procedures that ensure evidence is admissible in disciplinary or legal proceedings.
1. Establish an Evidence Identification Strategy
Control Requirement: Procedures must exist to identify what constitutes evidence during a security event.
Required Implementation Step: Create a “First Responder Guide” that explicitly lists evidence sources beyond just server logs. You must physically document potential sources including volatile memory (RAM), network packet captures (PCAP), firewall logs, and CCTV footage before any recovery actions are taken.
Minimum Requirement: A documented “Evidence Scope” list created immediately upon incident declaration.
2. Initiate the Chain of Custody (CoC)
Control Requirement: The integrity and history of evidence handling must be proven.
Required Implementation Step: Print a physical Chain of Custody form or create a digitally signed equivalent that tracks every single interaction with the evidence. You must record who collected it, where it was stored, who accessed it, and the exact time of transfer; a simple Jira ticket comment is legally insufficient.
Minimum Requirement: A completed CoC log with no time gaps, signed by the evidence handler.
3. Capture Volatile Evidence First
Control Requirement: Evidence that is lost on power-down must be prioritised.
Required Implementation Step: Use a command-line forensic tool (e.g., FTK Imager or specific Linux commands) to dump the RAM before shutting down or rebooting the machine. You must capture active network connections and running processes, as this data vanishes the moment you follow a generic “reboot to fix” instruction.
Minimum Requirement: A raw memory dump file saved to external, sterile media.
