ISO 27001 Annex A 5.28 Collection Of Evidence

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.28 Collection Of Evidence

ISO 27001 Collection Of Evidence

In this ultimate guide to ISO 27001 Annex A 5.28 Collection Of Evidence you will learn

What is ISO 27001 Annex A 5.28
How to implement ISO 27001 Annex A 5.28

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

ISO 27001 Collection Of Evidence
What is ISO 27001 Annex A 5.28?
Implementation Guide
ISO 27001 Templates
How to comply
How to pass an audit
What an auditor will check
Top 3 Mistakes People Make
FAQ
ISO 27001 Controls and Attribute values

What is ISO 27001 Annex A 5.28?

ISO 27001 Annex A 5.28 Collection of Evidence requires an organisation to identify, collect, acquire and preserve evidence related to information security incidents.

It is an ISO 27001 Annex A control that forms part of information security incident management.

Purpose

The purpose of ISO 27001 Clause 5.28 is to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.

Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.28 as:

The organisation should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
ISO 27001:2022 Annex A 5.28 Collection of Evidence

Implementation Guide

It is my experience that the best way to implement Annex A 5.28 is to have a procedure that calls in the professionals to do the work. This would form part of your incident management process and would be instigated at the earliest opportunity. This usually means as soon as it becomes clear that evidence collection will be required to support a legal or disciplinary process.

Having a Collection of Evidence Policy and a process that has the contact details for a pre selected, pre vetted supplier is the best way to implement Annex A 5.28.

The standard that relates to information security incident management for further reading if required is ISO/IEC 27035

The requirements of ISO 27001 Collection of Evidence

As the control is looking at the collection of evidence to support legal and disciplinary action the first requirement is to understand the different laws and jurisdictions that apply to you. If you understand the needs of these laws you will understand what requirements they have and increase your chances of successfully admitting your evidence for consideration.

The requirements of the control are based around having documented processes and procedures that meet the requirements of applicable laws. Those processes and procedures are going to cover

Identification of evidence
Collection of evidence
Acquisition of evidence
Preservation of evidence

When implementing those processes and procedures you are going to ensure that

Evidence and records are complete and have not been tampered with
Copies of electronic evidence are identical to the origionals
Evidence from systems was from systems operating as intended at the time of collection

It is best practice and recommended that people that are involved in the process and collection of evidence and trained, qualified and certified to the appropriate level.

ISO 27001 Templates

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit

How to comply

To comply with ISO 27001 Annex A 5.28 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

Have an ISO 27001 topic specific policy for the collection of evidence
Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
Incorporate that process into your information security incident management process

How to pass an audit

To pass an audit of ISO 27001 Annex A 5.28 you are going to make sure that you have followed the steps above in how to comply and be able to evidence it in operation. It maybe that you have not had to implement the process for the collection of evidence, which is acceptable, in which case just your policy and procedures will be audited.

Have an ISO 27001 topic specific policy for the collection of evidence
Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
Incorporate that process into your information security incident management process
Be able to evidence that you followed the documented process in the event that you have had to collect evidence as part of your business operations.

What an auditor will check

The audit is going to check a number of areas. Lets go through the main ones

1. That you have documented your collection of evidence process

The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.

2. That you can demonstrate the process working

They are going to ask you for evidence to the collection of evidence process and take at least one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.

3. That you can learn your lesson

Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked.

Top 3 Mistakes People Make

The most common mistakes people make for ISO 27001 Annex A 5.28 are

1. Not having a documented collection of evidence process and policy.

This is the most common mistake made by organisations. A documented collection of evidence policy and collection of evidence process is essential for effective incident response.

2. Not having evidence collected by professionals

There are so many mistakes that can be made in the collection of evidence that would render the evidence useless. The standard guidance is to use trained and qualified personnel. Whether in house or out sourced you should ensure that you engage with professionals at the earliest opportunity and at least as soon as it becomes evident that evidence is required for legal or disciplinary purposes.

3. Not monitoring the effectiveness of the collections of evidence process

It is important to monitor its effectiveness of the collection of evidence process. This means reviewing the process, conducting internal audits and reviewing actual incidents for lessons learnt.

By avoiding these mistakes, you can ensure that you have an effective collection of evidence plan in place.

FAQ

What is ISO 27001 Clause 5.28?

ISO 27001 Annex A 5.28 is a control that requires organisations to collect evidence from information security management incidents in a way that it is admissible as part of legal proceedings or disciplinary action.

What are the Benefits of ISO 27001 Collection of Evidence?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.28:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security incident management system that addresses the legal collection of evidence when and if required
Reduced risk: You will reduce the information security risks of collecting evidence that cannot be used in a legal or disciplinary process
Improved compliance: Standards and regulations require an effective information security incident management system to be in place
Reputation Protection: In the event of a breach having an effective collection of evidence system in place will reduce the potential for fines and reduce the PR impact of an event

Why is Collection of Evidence Important?

As the saying goes, shit happens. It is facts of life. Sometimes those things that go wrong are as a result of human actions that lead to either legal or disciplinary actions.
ISO 27001 Annex A 5.28 is important because it provides guidance on how we collect the evidence to investigate, take against against people or submit to a course of legal action in a way that the evidence will be accepted. The guidance in ISO 27001 Annex A 5.28 can help you to develop and implement an effective collection of evidence plan with the greatest chance of success.

What types of information security incident evidence are there?

The most common types of information security incident evidence are
1. Emails
2. Electronic communications
3. System and application logs
4. Printouts or physical media
5. System and Application Reports
6. User activity logs
7. System activity logs

Do I have to satisfy ISO 27001 Annex A 5.28 for ISO 27001 Certification?

Yes. It is required for ISO 27001.

ISO 27001 Annex A 5.28 sample PDF?

ISO 27001 Annex A 5.28 Sample PDF: ISO 27001 Toolkit

Where can I get templates for ISO 27001 Annex A 5.28?

ISO 27001 templates for Annex A 5.28 are located here: ISO 27001 Toolkit

How hard is ISO 27001 Annex A 5.28 Learning from information security incidents?

ISO 27001 Annex A 5.28 is not hard.

How long will ISO 27001 Annex A 5.28 Learning from information security incidents take me?

ISO 27001 Annex A 5.28 will take approximately 1 day to complete if you are starting from nothing and doing it yourself.

Are there free templates for ISO 27001 Annex A 5.28?

There are templates for ISO 27001 Annex A 5.28 located here: ISO 27001 Toolkit

What are the roles and responsibilities involved in information security management?

Typically they are:
Incident Manager: Managing and coordinating the incident
Incident Response Team: the people responding to the incident
The Legal Team: providing legal advice
The Information Security Team: maintaining the confidentiality, integrity and availability of data.
Communications Team: keeping interested parties appropriately informed

What are the resources available to help me with ISO 27001Collection of Evidence?

Other than this ISO 27001 certification guide there are 2 additional, practical resources that can help you with Annex A 5.28.
Having an ISO 27001 Topic Specific Policy that covers the collection of evidence is a vital resource for this control. It is included in the ISO 27001 Policy Templates Pack and in the ISO 27001 Toolkit.

What are the consequences of not implementing ISO 27001 Collection of Evidence?

The main consequence is that any evidence that you collect will not be usable in either legal proceedings or in any disciplinary action.

How can I monitor the effectiveness of my ISO 27001 Collection of Evidence implementation?

You can monitor the effectiveness of Annex A 5.28 in a number of ways. The most common ways are:
You have a process of internal audit that audits Annex A 5.8 on a periodic basis
Your collection of evidence process includes a root cause and lessons step that allows you to check that everything worked as intended identify opportunities for improvement.

What are examples of a violation of ISO 27001 Collection of Evidence?

Someone who is not trained or qualified collecting evidence in an unstructured way and a way that does not meet the requirements of relevant laws and regulations, thus making it unusable.

Who is responsible for ISO 27001 Collection of Evidence?

Accountability for ISO 27001 Annex A 5.28 lies with the senior leadership team. Responsibility is often assigned to the incident management team and the incident management lead.

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Corrective	Confidentiality	Detect	Information Security Event Management	Defence
	Integrity	Respond
	Availability