In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.28 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.28 Collection of Evidence
ISO 27001 Annex A 5.28 requires organizations to establish and implement procedures for the identification, collection, acquisition, and preservation of evidence related to information security events. This corrective control is vital for any organization that may need to take legal or disciplinary action following a breach. Without a rigorous, forensic approach to evidence, any data you collect (like server logs or emails) may be ruled inadmissible in court or a HR hearing due to potential tampering or a broken Chain of Custody.
Core requirements for compliance include:
- Forensic Readiness: You must have a documented process for handling evidence that meets the requirements of applicable laws and jurisdictions.
- Chain of Custody: You must maintain a formal log that tracks every person who handled a piece of evidence, where it was stored, and why it was moved.
- Integrity of Evidence: You must be able to prove that the evidence has not been altered since collection. For electronic data, this typically involves taking bit-for-bit copies and using Cryptographic Hashing to verify integrity.
- Use of Professionals: The standard recommends using trained and qualified personnel for evidence collection. Many small-to-medium organizations meet this by having a pre-vetted, specialist Forensic Supplier on retainer.
- System State Documentation: When acquiring evidence, you should document that the system was operating as intended at the time, or record any anomalies that could affect the data’s reliability.
- Storage & Protection: Evidence must be stored securely (e.g., in a physical safe for hardware or an encrypted, write-once repository for digital logs) to prevent unauthorized access or accidental deletion.
Audit Focus: Auditors will look for “The Forensic Paper Trail”:
- Retention Policy: “Show me your policy for evidence collection. Does it define how long you keep evidence and who is authorized to access the evidence safe?”
- Chain of Custody Proof: “If you had a disciplinary issue last year involving an employee’s laptop, show me the Chain of Custody Log. Who seized the device and where is it now?”
- Vetting of Experts: “If you use an external firm for forensics, show me how you vetted their qualifications and their own ISO 27001 status.”
Chain of Custody Log Template (Audit Prep):
| Field | Purpose | Example Entry | ISO 27001:2022 Control |
|---|---|---|---|
| Evidence ID | Unique reference number. | EVID-001 (Encrypted Hard Drive). | Annex A 5.28 |
| Collected By | Person seizing the asset. | John Smith (IT Security Lead). | Annex A 5.28 |
| Date/Time | Precise moment of seizure. | 2023-10-27 14:30 GMT. | Annex A 5.28 / 8.15 |
| Location | Origin of the evidence. | Desk 4, Finance Dept. | Annex A 5.28 |
| Handed To | Next person in the chain. | Sarah Doe (Legal Counsel). | Annex A 5.28 |
| Reason | Purpose of movement. | Secure transport to Offsite Safe. | Annex A 5.28 |
Table of contents
- What is ISO 27001 Annex A 5.28?
- Watch the ISO 27001 Annex A 5.28 Tutorial
- ISO 27001 Annex A 5.28 Podcast
- ISO 27001 Annex 5.28 Implementation Guidance
- How to implement ISO 27001 Annex 5.28
- Chain of Custody Log Template
- How to comply
- How to pass an ISO 27001 Annex 5.28 audit
- What an auditor will check
- Top 3 ISO 27001 Annex 5.28 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.28 across different business models.
- Fast Track ISO 27001 Annex A 5.28 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex 5.28 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 5.28?
ISO 27001 Annex A 5.28 is about collection of evidence which means you must have a system to handle the the collection and management of evidence from information security events.
ISO 27001 Annex A 5.28 Collection of Evidence requires an organisation to identify, collect, acquire and preserve evidence related to information security incidents.
It is an ISO 27001 control that forms part of information security incident management.
ISO 27001 Annex 5.28 purpose
The purpose of ISO 27001 Clause 5.28 is to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.
ISO 27001 Annex 5.28 definition
The ISO 27001 standard defines ISO 27001 Annex A 5.28 as:
The organisation should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
ISO 27001:2022 Annex A 5.28 Collection of Evidence
Watch the ISO 27001 Annex A 5.28 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.28 and how to pass the audit.
ISO 27001 Annex A 5.28 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.28 Collection Of Evidence. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex 5.28 Implementation Guidance
It is my experience that the best way to implement Annex A 5.28 is to have a procedure that calls in the professionals to do the work. This would form part of your incident management process and would be instigated at the earliest opportunity. This usually means as soon as it becomes clear that evidence collection will be required to support a legal or disciplinary process.
Having a Collection of Evidence Policy and a process that has the contact details for a pre selected, pre vetted supplier is the best way to implement Annex A 5.28.
The standard that relates to information security incident management for further reading if required is ISO/IEC 27035
The requirements of ISO 27001 Collection of Evidence
As the control is looking at the collection of evidence to support legal and disciplinary action the first requirement is to understand the different laws and jurisdictions that apply to you. If you understand the needs of these laws you will understand what requirements they have and increase your chances of successfully admitting your evidence for consideration.
The requirements of the control are based around having documented processes and procedures that meet the requirements of applicable laws. Those processes and procedures are going to cover
- Identification of evidence
- Collection of evidence
- Acquisition of evidence
- Preservation of evidence
When implementing those processes and procedures you are going to ensure that
- Evidence and records are complete and have not been tampered with
- Copies of electronic evidence are identical to the origionals
- Evidence from systems was from systems operating as intended at the time of collection
It is best practice and recommended that people that are involved in the process and collection of evidence and trained, qualified and certified to the appropriate level.
How to implement ISO 27001 Annex 5.28
Implementing ISO 27001 Annex A 5.28 ensures that your organisation can identify, acquire, and preserve evidence in a manner that is legally admissible and technically sound. This process transforms raw security logs and hardware into verifiable proof for disciplinary or judicial proceedings. Following these steps ensures your incident management programme meets lead auditor expectations for forensic readiness.
1. Formalise the Evidence Management Framework
Establish a topic-specific policy that defines the legal and jurisdictional requirements for evidence handling. This action ensures that all collection activities align with local laws such as the Police and Criminal Evidence Act (PACE) or equivalent regional regulations.
- Define clear Roles and Responsibilities for the incident response team.
- Identify relevant jurisdictions to ensure the Rules of Engagement (ROE) meet local admissibility criteria.
- Document the triggers for evidence collection to prevent accidental data spoliation during initial triage.
2. Authorise and Pre-vet Specialist Forensic Suppliers
Provision external forensic expertise and retainers before an incident occurs. Because digital forensics requires specialised skills and certified tools, using pre-vetted professionals reduces the risk of evidence being ruled inadmissible due to improper handling.
- Maintain a register of authorised forensic investigators with recognised certifications.
- Ensure third-party contracts include strict non-disclosure agreements (NDAs) and data protection clauses.
- Review the ISO 27001 certification status of external forensic labs to maintain the security chain.
3. Standardise Technical Acquisition Procedures
Deploy rigorous acquisition protocols to maintain data integrity. The goal is to prove that the evidence collected is an exact, bit-for-bit representation of the original source at the time of seizure.
- Use hardware write-blockers for all physical drive acquisitions to prevent data modification.
- Generate cryptographic hashes (such as SHA-256) immediately upon acquisition to provide a digital fingerprint.
- Document the system state and any environmental anomalies at the time of collection to provide necessary context for the data.
4. Execute Rigorous Chain of Custody Protocols
Document every interaction with the evidence using a formal Chain of Custody log. This action creates a transparent audit trail that accounts for the location, possession, and purpose of movement for every evidence item.
- Assign a unique Evidence ID to every physical and digital asset seized.
- Record the date, time, and precise location of seizure for all items.
- Require signatures or digital timestamps for every handover between personnel or departments.
5. Enforce Secure Preservation and Access Controls
Protect evidence from unauthorised access, tampering, or environmental degradation. Secure storage ensures that the evidence remains in its original state until it is required for legal or disciplinary review.
- Store physical evidence in tamper-evident bags within a restricted-access safe or locker.
- Utilise encrypted, write-once storage repositories for digital evidence and log files.
- Implement Multi-Factor Authentication (MFA) and strict IAM roles for access to forensic workstations and image repositories.
Chain of Custody Log Template
| Field | Description | Example Entry |
| Evidence ID | Unique reference number. | EVID-001 (Hard Drive). |
| Collected By | Name of the person seizing it. | John Smith (IT Security). |
| Date/Time | Exact moment of seizure. | 2023-10-27 14:30 GMT. |
| Location | Where it was found. | Desk 4, Finance Office. |
| Handed To | Who took possession next? | Jane Doe (Legal Counsel). |
| Reason | Why was it moved? | Transport to Safe. |
How to comply
To comply with ISO 27001 Annex A 5.28 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Have an ISO 27001 topic specific policy for the collection of evidence
- Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
- Incorporate that process into your information security incident management process
How to pass an ISO 27001 Annex 5.28 audit
To pass an audit of ISO 27001 Annex A 5.28 you are going to make sure that you have followed the steps above in how to comply and be able to evidence it in operation. It maybe that you have not had to implement the process for the collection of evidence, which is acceptable, in which case just your policy and procedures will be audited.
- Have an ISO 27001 topic specific policy for the collection of evidence
- Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
- Incorporate that process into your information security incident management process
- Be able to evidence that you followed the documented process in the event that you have had to collect evidence as part of your business operations.
What an auditor will check
The audit is going to check a number of areas. Lets go through the main ones
1. That you have documented your collection of evidence process
The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.
2. That you can demonstrate the process working
They are going to ask you for evidence to the collection of evidence process and take at least one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.
3. That you can learn your lesson
Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked.
Top 3 ISO 27001 Annex 5.28 Mistakes People Make and How to Avoid Them
The most common mistakes people make for ISO 27001 Annex A 5.28 are
1. Not having a documented collection of evidence process and policy.
This is the most common mistake made by organisations. A documented collection of evidence policy and collection of evidence process is essential for effective incident response.
2. Not having evidence collected by professionals
There are so many mistakes that can be made in the collection of evidence that would render the evidence useless. The standard guidance is to use trained and qualified personnel. Whether in house or out sourced you should ensure that you engage with professionals at the earliest opportunity and at least as soon as it becomes evident that evidence is required for legal or disciplinary purposes.
3. Not monitoring the effectiveness of the collections of evidence process
It is important to monitor its effectiveness of the collection of evidence process. This means reviewing the process, conducting internal audits and reviewing actual incidents for lessons learnt.
By avoiding these mistakes, you can ensure that you have an effective collection of evidence plan in place.
Applicability of ISO 27001 Annex A 5.28 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Highly applicable for businesses that may need to handle employee disputes or minor theft. The goal is to ensure that basic evidence, like emails or physical hardware, is managed in a way that remains legally valid. |
|
| Tech Startups | Critical for protecting proprietary source code and managing developer-related security events. Compliance involves ensuring digital evidence from cloud environments is captured without altering its integrity. |
|
| AI Companies | Vital for investigating potential theft of high-value model weights or dataset exfiltration. Focus is on specialized forensics for large-scale AI infrastructure and research assets. |
|
Fast Track ISO 27001 Annex A 5.28 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.28 (Collection of evidence), the requirement is to establish and implement procedures for the identification, collection, acquisition, and preservation of evidence related to information security events. This is a corrective control that ensures evidence is managed in a way that makes it admissible for legal or disciplinary proceedings.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your evidence rules; if you cancel the subscription, your documented chain-of-custody protocols vanish. | Permanent Assets: Fully editable Word/Excel Evidence Policies and Logs that you own and host forever. | A localized “Collection of Evidence Policy” defining legal requirements for admissibility in your jurisdiction. |
| Forensic Integrity | Attempts to “automate” evidence via dashboards that cannot physically seize hardware or ensure a legal chain of custody. | Governance-First: Formalizes your emergency response and expert engagement into an auditor-ready framework. | A completed “Chain of Custody Log” proving who handled a seized device from the moment of collection to analysis. |
| Cost Efficiency | Charges an “Evidence Volume Tax” based on logged events, creating perpetual overhead for high-stakes incidents. | One-Off Fee: A single payment covers your evidence governance whether you have 0 incidents or 100. | Allocating budget to professional forensic specialists or legal counsel rather than monthly “dashboard” fees. |
| Legal Strategy Freedom | Mandates rigid reporting formats that may not align with local jurisdictional requirements or specific technical setups. | 100% Agnostic: Procedures adapt to any environment—high-end digital forensics tools or manual risk-managed logs. | The ability to evolve your evidence strategy (e.g., using specialized third-party labs) without reconfiguring a rigid SaaS module. |
Summary: For Annex A 5.28, the auditor wants to see that you have a formal process for collecting evidence and proof of a chain of custody if an incident occurred. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex 5.28 FAQ
What is ISO 27001 Annex A 5.28?
ISO 27001 Annex A 5.28 is a technical security control that mandates the identification, collection, acquisition, and preservation of digital evidence to ensure its admissibility in legal or disciplinary proceedings.
- It ensures the integrity of evidence during an information security incident.
- It requires that all evidence be handled in a way that proves it has not been tampered with.
- It aligns with international standards for digital forensics (e.g., ISO/IEC 27037).
- It is essential for successful litigation, regulatory compliance, and insurance claims.
Is a chain of custody required for ISO 27001 compliance?
Yes, maintaining a formal chain of custody is a mandatory requirement under Control 5.28 to document the movement and handling of evidence from the moment of collection until disposal.
- A chain of custody log must record who handled the evidence, at what time, and for what purpose.
- It must include unique identifiers for all physical and digital evidence items.
- It prevents claims of evidence tampering or contamination during legal disputes.
- Evidence must be stored in a secure environment with restricted access throughout the process.
What constitutes “digital evidence” in an ISO 27001 audit?
Digital evidence includes any information stored or transmitted in binary form that supports or refutes a security incident claim, such as system logs, database entries, or disk images.
- Server and network audit logs (SIEM exports).
- Captured network traffic (PCAP files).
- Volatile memory (RAM) captures and forensic disk clones.
- Mobile device backups and cloud service activity logs.
How should evidence be preserved to remain admissible?
To remain admissible, evidence must be preserved using write-protect mechanisms and cryptographic hashing to prove that the data has remained unchanged since collection.
- Use forensic hardware “write-blockers” when imaging physical drives.
- Generate SHA-256 or similar cryptographic hashes for every evidence file immediately upon acquisition.
- Store master evidence in “Read-Only” formats and only perform analysis on working copies.
- Maintain strict environmental controls for physical storage media to prevent data degradation.
Who is authorised to collect evidence under Annex A 5.28?
Evidence must be collected by competent individuals who have been formally trained in forensic procedures and are independent of the incident’s investigation where possible.
- Internal security incident response teams (CSIRT) with specialised training.
- External third-party digital forensic and incident response (DFIR) specialists.
- Authorised system administrators who follow a pre-defined and documented evidence collection checklist.
Does ISO 27001 require evidence collection for every incident?
No, the level of evidence collection should be proportionate to the severity of the incident and the likelihood of future legal or disciplinary action.
- High-impact breaches (e.g., data theft) require full forensic preservation.
- Low-impact operational issues may only require standard system logging.
- The decision to collect evidence should be guided by your Incident Management Policy and Risk Assessment.
Related ISO 27001 Controls
ISO 27001 Annex A 5.24 Information Security Incident Management Planning and Preparation
ISO 27001 Annex A 8.15 Logging
Further Reading
The complete guide to ISO/IEC 27002:2022
ISO 27001 Incident and Corrective Action Log Template
Business Continuity Incident Action Log Template
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| Corrective | Confidentiality | Detect | Information Security Event Management | Defence |
| Integrity | Respond | |||
| Availability |
