ISO 27001 Annex A 5.28 Collection Of Evidence

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.28 Collection Of Evidence

ISO 27002:2022 Clause 5.28 Collection of Evidence

In this article I lay bare ISO 27001:2022 Annex A 5.28 Collection of Evidence

Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, an ISO 27001 toolkit, show you examples and do a walkthrough.

In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update. 

I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001:2022 Annex A 5.28 Collection of Evidence

What is ISO 27001 Collection of Evidence?

ISO 27001:2022 Annex A 5.28 Collection of Evidence requires an organisation to identify, collect, acquire and preserve evidence related to information security incidents.

It is an ISO 27001 control that forms part of information security incident management.

ISO 27001 Clause 5.28 Purpose

The purpose of ISO 27001:2022 Clause 5.28 is to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.

ISO 27001 Annex A 5.28 Definition

The ISO 27001:2022 standard defines ISO 27001:2022 Annex A 5.28 as:

The organisation should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

ISO 27001:2022 Annex A 5.28 Collection of Evidence

DO IT YOURSELF ISO 27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

ISO 27001 Toolkit Business Edition

Implementation Guide

It is my experience that the best way to implement Annex A 5.28 is to have a procedure that calls in the professionals to do the work. This would form part of your incident management process and would be instigated at the earliest opportunity. This usually means as soon as it becomes clear that evidence collection will be required to support a legal or disciplinary process.

Having a Collection of Evidence Policy and a process that has the contact details for a pre selected, pre vetted supplier is the best way to implement Annex A 5.28.

The standard that relates to information security incident management for further reading if required is ISO/IEC 27035

The requirements of ISO 27001 Collection of Evidence

As the control is looking at the collection of evidence to support legal and disciplinary action the first requirement is to understand the different laws and jurisdictions that apply to you. If you understand the needs of these laws you will understand what requirements they have and increase your chances of successfully admitting your evidence for consideration.

The requirements of the control are based around having documented processes and procedures that meet the requirements of applicable laws. Those processes and procedures are going to cover

  • Identification of evidence
  • Collection of evidence
  • Acquisition of evidence
  • Preservation of evidence

When implementing those processes and procedures you are going to ensure that

  • Evidence and records are complete and have not been tampered with
  • Copies of electronic evidence are identical to the origionals
  • Evidence from systems was from systems operating as intended at the time of collection

It is best practice and recommended that people that are involved in the process and collection of evidence and trained, qualified and certified to the appropriate level.

How to comply

To comply with ISO 27001:2022 Annex A 5.28 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  1. Have an ISO 27001 topic specific policy for the collection of evidence
  2. Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
  3. Incorporate that process into your information security incident management process

How to pass an audit

To pass an audit of ISO 27001:2022 Annex A 5.28 you are going to make sure that you have followed the steps above in how to comply and be able to evidence it in operation. It maybe that you have not had to implement the process for the collection of evidence, which is acceptable, in which case just your policy and procedures will be audited.

  1. Have an ISO 27001 topic specific policy for the collection of evidence
  2. Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
  3. Incorporate that process into your information security incident management process
  4. Be able to evidence that you followed the documented process in the event that you have had to collect evidence as part of your business operations.

You are going to check that it is working by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an auditor check

The audit is going to check a number of areas. Lets go through the main ones

1. That you have documented your collection of evidence process

The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.

2. That you can demonstrate the process working

They are going to ask you for evidence to the collection of evidence process and take at least one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.

3. That you can learn your lesson

Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked.

Top 3 Mistakes People Make

The most common mistakes people make for ISO 27001:2022 Annex A 5.28 are

1. Not having a documented collection of evidence process and policy.

This is the most common mistake made by organisations. A documented collection of evidence policy and collection of evidence process is essential for effective incident response.

2. Not having evidence collected by professionals

There are so many mistakes that can be made in the collection of evidence that would render the evidence useless. The standard guidance is to use trained and qualified personnel. Whether in house or out sourced you should ensure that you engage with professionals at the earliest opportunity and at least as soon as it becomes evident that evidence is required for legal or disciplinary purposes.

3. Not monitoring the effectiveness of the collections of evidence process

It is important to monitor its effectiveness of the collection of evidence process. This means reviewing the process, conducting internal audits and reviewing actual incidents for lessons learnt.

By avoiding these mistakes, you can ensure that you have an effective collection of evidence plan in place.

What are the Benefits of ISO 27001 Collection of Evidence?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001:2022 Annex A 5.28: 

  1. You cannot get ISO 27001 certification without it.
  2. Improved security: You will have an effective information security incident management system that addresses the legal collection of evidence when and if required
  3. Reduced risk: You will reduce the information security risks of collecting evidence that cannot be used in a legal or disciplinary process
  4. Improved compliance: Standards and regulations require an effective information security incident management system to be in place
  5. Reputation Protection: In the event of a breach having an effective collection of evidence system in place will reduce the potential for fines and reduce the PR impact of an event

Why is ISO 27001 Collection of Evidence Important?

As the saying goes, shit happens. It is facts of life. Sometimes those things that go wrong are as a result of human actions that lead to either legal or disciplinary actions.

ISO 27001:2022 Annex A 5.28 is important because it provides guidance on how we collect the evidence to investigate, take against against people or submit to a course of legal action in a way that the evidence will be accepted. The guidance in ISO 27001:2022 Annex A 5.28 can help you to develop and implement an effective collection of evidence plan with the greatest chance of success.

ISO 27001 Collection of Evidence FAQ

What is ISO 27001:2022 Clause 5.28?

ISO 27001:2022 Annex A 5.28 is a control that requires organisations to collect evidence from information security management incidents in a way that it is admissible as part of legal proceedings or disciplinary action.

What types of information security incident evidence are there?

The most common types of information security incident evidence are
1. Emails
2. Electronic communications
3. System and application logs
4. Printouts or physical media
5. System and Application Reports
6. User activity logs
7. System activity logs

Do I have to satisfy ISO 27001:2022 Annex A 5.28 for ISO 27001 Certification?

Yes. It is required for ISO 27001.

ISO 27001:2022 Annex A 5.28 sample PDF?

ISO 27001:2022 Annex A 5.28 Sample PDF: https://hightable.io/product/iso-27001-templates-toolkit/

Where can I get templates for ISO 27001:2022 Annex A 5.28?

ISO 27001:2022 templates for Annex A 5.28 are located here: https://hightable.io/product/iso-27001-templates-toolkit/

How hard is ISO 27001:2022 Annex A 5.28 Learning from information security incidents?

ISO 27001:2022 Annex A 5.28 is not hard.

How long will ISO 27001:2022 Annex A 5.28 Learning from information security incidents take me?

ISO 27001:2022 Annex A 5.28 will take approximately 1 day to complete if you are starting from nothing and doing it yourself.

Are there free templates for ISO 27001:2022 Annex A 5.28?

There are templates for ISO 27001:2022 Annex A 5.28 located here: https://hightable.io/product/iso-27001-policy-template-bundle/

What are the roles and responsibilities involved in information security management?

Typically they are:
Incident Manager: Managing and coordinating the incident
Incident Response Team: the people responding to the incident
The Legal Team: providing legal advice
The Information Security Team: maintaining the confidentiality, integrity and availability of data.
Communications Team: keeping interested parties appropriately informed

Is there an online ISO 27001?

Yes, there is an online ISO 27001 at ISO 27001 Online.

What are the resources available to help me with ISO 27001Collection of Evidence?

Other than this ISO 27001 certification guide there are 2 additional, practical resources that can help you with Annex A 5.28.
Having an ISO 27001 Topic Specific Policy that covers the collection of evidence is a vital resource for this control. It is included in the ISO 27001 Policy Templates Pack and in the ISO 27001 Toolkit.

What are the consequences of not implementing ISO 27001 Collection of Evidence?

The main consequence is that any evidence that you collect will not be usable in either legal proceedings or in any disciplinary action.

How can I monitor the effectiveness of my ISO 27001 Collection of Evidence implementation?

You can monitor the effectiveness of Annex A 5.28 in a number of ways. The most common ways are:
You have a process of internal audit that audits Annex A 5.8 on a periodic basis
Your collection of evidence process includes a root cause and lessons step that allows you to check that everything worked as intended identify opportunities for improvement.

What are examples of a violation of ISO 27001 Collection of Evidence?

Someone who is not trained or qualified collecting evidence in an unstructured way and a way that does not meet the requirements of relevant laws and regulations, thus making it unusable.

Who is responsible for ISO 27001 Collection of Evidence?

Accountability for ISO 27001:2022 Annex A 5.28 lies with the senior leadership team. Responsibility is often assigned to the incident management team and the incident management lead.

Matrix of ISO 27001:2022 Controls and ISO 27001:2022 Attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
CorrectiveConfidentialityDetectInformation Security Event ManagementDefence
IntegrityRespond
Availability
ISO 27001 Toolkit Business Edition

Do It Yourself ISO27001

Stop Spanking £10,000s on consultants and ISMS online-tools.