4. Technical Evidence Preservation Tools Validation Confirmed

Verification Criteria: The tools used for evidence collection (e.g. write-blockers, imaging software) are validated and maintained to ensure they do not alter the original data.

5. Personnel Competence for Evidence Collection Validated

Verification Criteria: Staff responsible for collecting evidence possess the necessary technical skills and training to perform collection without compromising evidence integrity.

6. Protection of Collected Evidence Integrity Verified

Verification Criteria: All collected evidence is protected against modification through the use of cryptographic hashing at the point of collection.

7. Evidence Storage Security Controls Confirmed

Verification Criteria: Evidence is stored in a secure environment with restricted access, protecting it from physical tampering, environmental damage, or unauthorised logical access.

8. Adherence to Jurisdictional Legal Requirements Verified

Verification Criteria: The collection and preservation process complies with the specific legal requirements of the jurisdictions in which the organisation operates (e.g. UK GDPR, PACE).

9. External Specialist Engagement Protocols Validated

Verification Criteria: Formalised protocols exist for engaging external digital forensic specialists when internal capabilities are insufficient for the complexity of the incident.

10. Post-Collection Evidence Disposal Procedures Confirmed

Verification Criteria: Evidence is retained only as long as required for legal or business purposes and is securely disposed of once the retention period expires.

ISO 27001 Annex A 5.28 Audit Checklist [+ Templates]

Q: 1. Identification of Evidence Sources Verified

Verification Criteria: The organisation has identified all potential sources of evidence (e.g. log files, system images, physical media, mobile devices) within the ISMS scope that may be required for legal or disciplinary action.

Q: 2. Forensic Readiness Plan Formalisation Verified

Verification Criteria: A documented forensic readiness plan exists that outlines the procedures for identifying, collecting, and preserving evidence to ensure its admissibility in court or disciplinary hearings.

Q: 3. Chain of Custody Documentation Integrity Confirmed

Verification Criteria: Every piece of evidence collected is accompanied by a Chain of Custody record that tracks its movement, handling, and storage from the moment of collection.

In this ultimate how to audit guide to ISO 27001 Annex A 5.28 Collection of Evidence, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

1. Identification of Evidence Sources Verified
2. Forensic Readiness Plan Formalisation Verified
3. Chain of Custody Documentation Integrity Confirmed
4. Technical Evidence Preservation Tools Validation Confirmed
5. Personnel Competence for Evidence Collection Validated
6. Protection of Collected Evidence Integrity Verified
7. Evidence Storage Security Controls Confirmed
8. Adherence to Jurisdictional Legal Requirements Verified
9. External Specialist Engagement Protocols Validated
10. Post-Collection Evidence Disposal Procedures Confirmed

Auditing ISO 27001 Annex A 5.28 is a critical verification process to ensure that digital and physical evidence is legally defensible. The Primary Implementation Requirement centers on maintaining a rigorous chain of custody, providing the Business Benefit of forensic integrity during legal or disciplinary proceedings.

1. Identification of Evidence Sources Verified

Verification Criteria: The organisation has identified all potential sources of evidence (e.g. log files, system images, physical media, mobile devices) within the ISMS scope that may be required for legal or disciplinary action.

Required Evidence: Asset Register cross-referenced with the Incident Management Plan identifying specific evidence-bearing systems.

Pass/Fail Test: If the organisation cannot identify which systems generate legally admissible logs during an active incident, mark as Non-Compliant.

2. Forensic Readiness Plan Formalisation Verified

Verification Criteria: A documented forensic readiness plan exists that outlines the procedures for identifying, collecting, and preserving evidence to ensure its admissibility in court or disciplinary hearings.

Required Evidence: Approved Forensic Readiness Policy or an Evidence Collection Standard Operating Procedure (SOP).

Pass/Fail Test: If the organisation relies on ad-hoc collection methods without a formalised, documented preservation plan, mark as Non-Compliant.

3. Chain of Custody Documentation Integrity Confirmed

Verification Criteria: Every piece of evidence collected is accompanied by a Chain of Custody record that tracks its movement, handling, and storage from the moment of collection.

Required Evidence: Completed Chain of Custody forms or digital logs showing timestamps, handler names, and transfer reasons for recent incidents.

Pass/Fail Test: If any piece of evidence lacks a continuous, documented record of who possessed it at any given time, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

1. Identification of Evidence Sources Verified

2. Forensic Readiness Plan Formalisation Verified

3. Chain of Custody Documentation Integrity Confirmed