ISO 27001 Collection Of Evidence
In this ultimate guide to ISO 27001 Annex A 5.28 Collection Of Evidence you will learn
- What is ISO 27001 Annex A 5.28
- How to implement ISO 27001 Annex A 5.28
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
Table of contents
What is ISO 27001 Annex A 5.28?
ISO 27001 Annex A 5.28 Collection of Evidence requires an organisation to identify, collect, acquire and preserve evidence related to information security incidents.
It is an ISO 27001 Annex A control that forms part of information security incident management.
Purpose
The purpose of ISO 27001 Clause 5.28 is to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.28 as:
The organisation should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
ISO 27001:2022 Annex A 5.28 Collection of Evidence
Implementation Guide
It is my experience that the best way to implement Annex A 5.28 is to have a procedure that calls in the professionals to do the work. This would form part of your incident management process and would be instigated at the earliest opportunity. This usually means as soon as it becomes clear that evidence collection will be required to support a legal or disciplinary process.
Having a Collection of Evidence Policy and a process that has the contact details for a pre selected, pre vetted supplier is the best way to implement Annex A 5.28.
The standard that relates to information security incident management for further reading if required is ISO/IEC 27035
The requirements of ISO 27001 Collection of Evidence
As the control is looking at the collection of evidence to support legal and disciplinary action the first requirement is to understand the different laws and jurisdictions that apply to you. If you understand the needs of these laws you will understand what requirements they have and increase your chances of successfully admitting your evidence for consideration.
The requirements of the control are based around having documented processes and procedures that meet the requirements of applicable laws. Those processes and procedures are going to cover
- Identification of evidence
- Collection of evidence
- Acquisition of evidence
- Preservation of evidence
When implementing those processes and procedures you are going to ensure that
- Evidence and records are complete and have not been tampered with
- Copies of electronic evidence are identical to the origionals
- Evidence from systems was from systems operating as intended at the time of collection
It is best practice and recommended that people that are involved in the process and collection of evidence and trained, qualified and certified to the appropriate level.
Watch the tutorial
ISO 27001 Templates
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to comply
To comply with ISO 27001 Annex A 5.28 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Have an ISO 27001 topic specific policy for the collection of evidence
- Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
- Incorporate that process into your information security incident management process
How to pass an audit
To pass an audit of ISO 27001 Annex A 5.28 you are going to make sure that you have followed the steps above in how to comply and be able to evidence it in operation. It maybe that you have not had to implement the process for the collection of evidence, which is acceptable, in which case just your policy and procedures will be audited.
- Have an ISO 27001 topic specific policy for the collection of evidence
- Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
- Incorporate that process into your information security incident management process
- Be able to evidence that you followed the documented process in the event that you have had to collect evidence as part of your business operations.
What an auditor will check
The audit is going to check a number of areas. Lets go through the main ones
1. That you have documented your collection of evidence process
The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.
2. That you can demonstrate the process working
They are going to ask you for evidence to the collection of evidence process and take at least one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.
3. That you can learn your lesson
Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked.
Top 3 Mistakes People Make
The most common mistakes people make for ISO 27001 Annex A 5.28 are
1. Not having a documented collection of evidence process and policy.
This is the most common mistake made by organisations. A documented collection of evidence policy and collection of evidence process is essential for effective incident response.
2. Not having evidence collected by professionals
There are so many mistakes that can be made in the collection of evidence that would render the evidence useless. The standard guidance is to use trained and qualified personnel. Whether in house or out sourced you should ensure that you engage with professionals at the earliest opportunity and at least as soon as it becomes evident that evidence is required for legal or disciplinary purposes.
3. Not monitoring the effectiveness of the collections of evidence process
It is important to monitor its effectiveness of the collection of evidence process. This means reviewing the process, conducting internal audits and reviewing actual incidents for lessons learnt.
By avoiding these mistakes, you can ensure that you have an effective collection of evidence plan in place.
FAQ
ISO 27001 Annex A 5.28 is a control that requires organisations to collect evidence from information security management incidents in a way that it is admissible as part of legal proceedings or disciplinary action.
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.28:
You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security incident management system that addresses the legal collection of evidence when and if required
Reduced risk: You will reduce the information security risks of collecting evidence that cannot be used in a legal or disciplinary process
Improved compliance: Standards and regulations require an effective information security incident management system to be in place
Reputation Protection: In the event of a breach having an effective collection of evidence system in place will reduce the potential for fines and reduce the PR impact of an event
As the saying goes, shit happens. It is facts of life. Sometimes those things that go wrong are as a result of human actions that lead to either legal or disciplinary actions.
ISO 27001 Annex A 5.28 is important because it provides guidance on how we collect the evidence to investigate, take against against people or submit to a course of legal action in a way that the evidence will be accepted. The guidance in ISO 27001 Annex A 5.28 can help you to develop and implement an effective collection of evidence plan with the greatest chance of success.
The most common types of information security incident evidence are
1. Emails
2. Electronic communications
3. System and application logs
4. Printouts or physical media
5. System and Application Reports
6. User activity logs
7. System activity logs
Yes. It is required for ISO 27001.
ISO 27001 Annex A 5.28 Sample PDF: ISO 27001 Toolkit
ISO 27001 templates for Annex A 5.28 are located here: ISO 27001 Toolkit
ISO 27001 Annex A 5.28 is not hard.
ISO 27001 Annex A 5.28 will take approximately 1 day to complete if you are starting from nothing and doing it yourself.
There are templates for ISO 27001 Annex A 5.28 located here: ISO 27001 Toolkit
Typically they are:
Incident Manager: Managing and coordinating the incident
Incident Response Team: the people responding to the incident
The Legal Team: providing legal advice
The Information Security Team: maintaining the confidentiality, integrity and availability of data.
Communications Team: keeping interested parties appropriately informed
Other than this ISO 27001 certification guide there are 2 additional, practical resources that can help you with Annex A 5.28.
Having an ISO 27001 Topic Specific Policy that covers the collection of evidence is a vital resource for this control. It is included in the ISO 27001 Policy Templates Pack and in the ISO 27001 Toolkit.
The main consequence is that any evidence that you collect will not be usable in either legal proceedings or in any disciplinary action.
You can monitor the effectiveness of Annex A 5.28 in a number of ways. The most common ways are:
You have a process of internal audit that audits Annex A 5.8 on a periodic basis
Your collection of evidence process includes a root cause and lessons step that allows you to check that everything worked as intended identify opportunities for improvement.
Someone who is not trained or qualified collecting evidence in an unstructured way and a way that does not meet the requirements of relevant laws and regulations, thus making it unusable.
Accountability for ISO 27001 Annex A 5.28 lies with the senior leadership team. Responsibility is often assigned to the incident management team and the incident management lead.
ISO 27001 Controls and Attribute values
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
Corrective | Confidentiality | Detect | Information Security Event Management | Defence |
Integrity | Respond | |||
Availability |