Auditing ISO 27001 Annex A 5.28 is a critical verification process to ensure that digital and physical evidence is legally defensible. The Primary Implementation Requirement centers on maintaining a rigorous chain of custody, providing the Business Benefit of forensic integrity during legal or disciplinary proceedings.
This high-performance verification tool is designed for auditors to ensure that all digital and physical evidence related to information security incidents is collected and preserved in a legally defensible manner. Use this checklist to validate compliance with ISO 27001 Annex A 5.28 (Collection of evidence).
1. Identification of Evidence Sources Verified
Verification Criteria: The organisation has identified all potential sources of evidence (e.g. log files, system images, physical media, mobile devices) within the ISMS scope that may be required for legal or disciplinary action.
Required Evidence: Asset Register cross-referenced with the Incident Management Plan identifying specific evidence-bearing systems.
Pass/Fail Test: If the organisation cannot identify which systems generate legally admissible logs during an active incident, mark as Non-Compliant.
2. Forensic Readiness Plan Formalisation Verified
Verification Criteria: A documented forensic readiness plan exists that outlines the procedures for identifying, collecting, and preserving evidence to ensure its admissibility in court or disciplinary hearings.
Required Evidence: Approved Forensic Readiness Policy or an Evidence Collection Standard Operating Procedure (SOP).
Pass/Fail Test: If the organisation relies on ad-hoc collection methods without a formalised, documented preservation plan, mark as Non-Compliant.
3. Chain of Custody Documentation Integrity Confirmed
Verification Criteria: Every piece of evidence collected is accompanied by a Chain of Custody record that tracks its movement, handling, and storage from the moment of collection.
Required Evidence: Completed Chain of Custody forms or digital logs showing timestamps, handler names, and transfer reasons for recent incidents.
Pass/Fail Test: If any piece of evidence lacks a continuous, documented record of who possessed it at any given time, mark as Non-Compliant.
4. Technical Evidence Preservation Tools Validation Confirmed
Verification Criteria: The tools used for evidence collection (e.g. write-blockers, imaging software) are validated and maintained to ensure they do not alter the original data.
Required Evidence: Inventory of forensic tools with associated validation reports or maintenance logs (e.g. FTK, EnCase, or verified open-source alternatives).
Pass/Fail Test: If technical evidence is collected using unvalidated or standard “copy-paste” methods that modify file metadata, mark as Non-Compliant.
5. Personnel Competence for Evidence Collection Validated
Verification Criteria: Staff responsible for collecting evidence possess the necessary technical skills and training to perform collection without compromising evidence integrity.
Required Evidence: Training certificates, professional qualifications (e.g. CHFI, CFCE), or records of participation in forensic simulations.
Pass/Fail Test: If evidence is handled by staff members who have no documented training in forensic preservation techniques, mark as Non-Compliant.
6. Protection of Collected Evidence Integrity Verified
Verification Criteria: All collected evidence is protected against modification through the use of cryptographic hashing at the point of collection.
Required Evidence: Forensic logs containing MD5, SHA-1, or SHA-256 hash values generated immediately upon evidence acquisition.
Pass/Fail Test: If there is no record of the original hash value to prove the evidence has remained unchanged since collection, mark as Non-Compliant.
7. Evidence Storage Security Controls Confirmed
Verification Criteria: Evidence is stored in a secure environment with restricted access, protecting it from physical tampering, environmental damage, or unauthorised logical access.
Required Evidence: Physical access logs for the evidence safe/room and logical access control lists for forensic servers.
Pass/Fail Test: If evidence is stored in an unlocked or unmonitored area accessible to non-authorised personnel, mark as Non-Compliant.
8. Adherence to Jurisdictional Legal Requirements Verified
Verification Criteria: The collection and preservation process complies with the specific legal requirements of the jurisdictions in which the organisation operates (e.g. UK GDPR, PACE).
Required Evidence: Legal review documentation or a compliance mapping document within the Evidence Collection Procedure.
Pass/Fail Test: If the evidence collection process violates local data privacy laws or employment rights, mark as Non-Compliant.
9. External Specialist Engagement Protocols Validated
Verification Criteria: Formalised protocols exist for engaging external digital forensic specialists when internal capabilities are insufficient for the complexity of the incident.
Required Evidence: Signed Service Level Agreements (SLAs) or retainer contracts with vetted third-party forensic firms.
Pass/Fail Test: If a complex incident requires external forensics but the organisation has no pre-vetted partner or engagement protocol, mark as Non-Compliant.
10. Post-Collection Evidence Disposal Procedures Confirmed
Verification Criteria: Evidence is retained only as long as required for legal or business purposes and is securely disposed of once the retention period expires.
Required Evidence: Data retention schedule specifying evidence categories and secure destruction certificates for archived evidence.
Pass/Fail Test: If evidence is held indefinitely without a clear legal justification or retention policy, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Evidence Identification | Tool checks if “Logging” is enabled in the cloud console. | Auditor must verify if the organisation knows which specific logs are required to prove a person’s intent. |
| Chain of Custody | SaaS tool records a digital timestamp of when a file was uploaded. | GRC tools cannot track physical media. Auditor must demand physical sign-off sheets for hardware evidence. |
| Competence Verification | A checkbox stating “Staff have been trained” is marked ‘Yes’. | Auditor must inspect the actual certifications (e.g. EnCE) of the individuals performing the bit-stream imaging. |
| Integrity Protection | Platform verifies that storage is “Encrypted”. | Encryption is not integrity. Auditor must see the SHA-256 hash values recorded at the time of the incident. |
| Forensic Readiness | Tool identifies a “Forensic Policy” file exists in the repository. | Auditor must verify if the policy includes specific technical playbooks for volatile RAM acquisition. |
| Jurisdictional Compliance | Tool provides a generic template for “International Laws”. | Auditor must check if the process respects specific UK laws like the RIPA or local privacy regulations. |
| Storage Security | GRC tool verifies the cloud provider’s ISO 27001 certificate. | Auditor must verify who has the keys to the forensic safe or the ‘write’ access to the evidence vault. |
About the author
