ISO 27002:2022 Clause 5.28 Collection of Evidence
In this article I lay bare ISO 27001:2022 Annex A 5.28 Collection of Evidence
Using over two decades of experience on hundreds of ISO 27001 audits and ISO 27001 certifications I am going to show you what’s new, give you templates, an ISO 27001 toolkit, show you examples and do a walkthrough.
In this ISO 27001 certification guide I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001:2022 Annex A 5.28 Collection of Evidence
Table of contents
- ISO 27002:2022 Clause 5.28 Collection of Evidence
- What is ISO 27001 Collection of Evidence?
- What are the requirements of ISO 27001 Collection of Evidence?
- What are the Benefits of ISO 27001 Collection of Evidence?
- Why is ISO 27001 Collection of Evidence Important?
- ISO 27001 Collection of Evidence Implementation Guide
- What are the resources available to help me with ISO 27001Collection of Evidence?
- How to comply with ISO 27001:2022 Annex A 5.28
- How to pass an audit of ISO 27001:2022 Annex A 5.28
- Top 3 Mistakes People Make for Collection of Evidence
- What are the lessons learned from organisations that have successfully complied with ISO 27001 Collection of Evidence?
- How can I monitor the effectiveness of my ISO 27001 Collection of Evidence implementation?
- Who is responsible for ISO 27001 Collection of Evidence?
- What are the consequences of not implementing ISO 27001 Collection of Evidence?
- What are examples of a violation of ISO 27001 Collection of Evidence?
- What will an auditor check for ISO 27001:2022 Annex A 5.28?
- Where can I get help with ISO 27001 Collection of Evidence?
- ISO 27001 Collection of Evidence FAQ
- Matrix of ISO 27001:2022 Controls and ISO 27001:2022 Attribute values
- Reference
What is ISO 27001 Collection of Evidence?
ISO 27001:2022 Annex A 5.28 Collection of Evidence requires an organisation to identify, collect, acquire and preserve evidence related to information security incidents.
It is an ISO 27001 control that forms part of information security incident management.
ISO 27001 Clause 5.28 Purpose
The purpose of ISO 27001:2022 Clause 5.28 is to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.
ISO 27001 Annex A 5.28 Definition
The ISO 27001:2022 standard defines ISO 27001:2022 Annex A 5.28 as:
The organisation should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
ISO 27001:2022 Annex A 5.28 Collection of Evidence
What are the requirements of ISO 27001 Collection of Evidence?
As the control is looking at the collection of evidence to support legal and disciplinary action the first requirement is to understand the different laws and jurisdictions that apply to you. If you understand the needs of these laws you will understand what requirements they have and increase your chances of successfully admitting your evidence for consideration.
The requirements of the control are based around having documented processes and procedures that meet the requirements of applicable laws. Those processes and procedures are going to cover
- Identification of evidence
- Collection of evidence
- Acquisition of evidence
- Preservation of evidence
When implementing those processes and procedures you are going to ensure that
- Evidence and records are complete and have not been tampered with
- Copies of electronic evidence are identical to the origionals
- Evidence from systems was from systems operating as intended at the time of collection
It is best practice and recommended that people that are involved in the process and collection of evidence and trained, qualified and certified to the appropriate level.
What are the Benefits of ISO 27001 Collection of Evidence?
Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001:2022 Annex A 5.28:
- You cannot get ISO 27001 certification without it.
- Improved security: You will have an effective information security incident management system that addresses the legal collection of evidence when and if required
- Reduced risk: You will reduce the information security risks of collecting evidence that cannot be used in a legal or disciplinary process
- Improved compliance: Standards and regulations require an effective information security incident management system to be in place
- Reputation Protection: In the event of a breach having an effective collection of evidence system in place will reduce the potential for fines and reduce the PR impact of an event
Why is ISO 27001 Collection of Evidence Important?
As the saying goes, shit happens. It is facts of life. Sometimes those things that go wrong are as a result of human actions that lead to either legal or disciplinary actions.
ISO 27001:2022 Annex A 5.28 is important because it provides guidance on how we collect the evidence to investigate, take against against people or submit to a course of legal action in a way that the evidence will be accepted. The guidance in ISO 27001:2022 Annex A 5.28 can help you to develop and implement an effective collection of evidence plan with the greatest chance of success.
ISO 27001 Collection of Evidence Implementation Guide
It is my experience that the best way to implement Annex A 5.28 is to have a procedure that calls in the professionals to do the work. This would form part of your incident management process and would be instigated at the earliest opportunity. This usually means as soon as it becomes clear that evidence collection will be required to support a legal or disciplinary process.
Having a Collection of Evidence Policy and a process that has the contact details for a pre selected, pre vetted supplier is the best way to implement Annex A 5.28.
The standard that relates to information security incident management for further reading if required is ISO/IEC 27035
What are the resources available to help me with ISO 27001Collection of Evidence?
Other than this ISO 27001 certification guide there are 2 additional, practical resources that can help you with Annex A 5.28.
Having an ISO 27001 Topic Specific Policy that covers the collection of evidence is a vital resource for this control. It is included in the ISO 27001 Policy Templates Pack and in the ISO 27001 Toolkit.
The Most Ruthlessly Effective and Aggressively Priced ISO 27001 Toolkit in the World.
Join over 1,500+ Empowered Consultants & Business Owners
How to comply with ISO 27001:2022 Annex A 5.28
To comply with ISO 27001:2022 Annex A 5.28 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:
- Have an ISO 27001 topic specific policy for the collection of evidence
- Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
- Incorporate that process into your information security incident management process
How to pass an audit of ISO 27001:2022 Annex A 5.28
To pass an audit of ISO 27001:2022 Annex A 5.28 you are going to make sure that you have followed the steps above in how to comply and be able to evidence it in operation. It maybe that you have not had to implement the process for the collection of evidence, which is acceptable, in which case just your policy and procedures will be audited.
- Have an ISO 27001 topic specific policy for the collection of evidence
- Implement a process that outsource the collection of evidence to an appropriate, qualified, certified, pre vetted supplier at the earliest opportunity
- Incorporate that process into your information security incident management process
- Be able to evidence that you followed the documented process in the event that you have had to collect evidence as part of your business operations.
You are going to check that it is working by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.
Top 3 Mistakes People Make for Collection of Evidence
The most common mistakes people make for ISO 27001:2022 Annex A 5.28 are
1. Not having a documented collection of evidence process and policy.
This is the most common mistake made by organisations. A documented collection of evidence policy and collection of evidence process is essential for effective incident response.
2. Not having evidence collected by professionals
There are so many mistakes that can be made in the collection of evidence that would render the evidence useless. The standard guidance is to use trained and qualified personnel. Whether in house or out sourced you should ensure that you engage with professionals at the earliest opportunity and at least as soon as it becomes evident that evidence is required for legal or disciplinary purposes.
3. Not monitoring the effectiveness of the collections of evidence process
It is important to monitor its effectiveness of the collection of evidence process. This means reviewing the process, conducting internal audits and reviewing actual incidents for lessons learnt.
By avoiding these mistakes, you can ensure that you have an effective collection of evidence plan in place.
What are the lessons learned from organisations that have successfully complied with ISO 27001 Collection of Evidence?
The main lesson learnt from organisations that have implemented and complied successfully with Annex A 5.28 is to out source the work to the professionals.
How can I monitor the effectiveness of my ISO 27001 Collection of Evidence implementation?
You can monitor the effectiveness of Annex A 5.28 in a number of ways. The most common ways are:
- You have a process of internal audit that audits Annex A 5.8 on a periodic basis
- Your collection of evidence process includes a root cause and lessons step that allows you to check that everything worked as intended identify opportunities for improvement.
Who is responsible for ISO 27001 Collection of Evidence?
Accountability for ISO 27001:2022 Annex A 5.28 lies with the senior leadership team. Responsibility is often assigned to the incident management team and the incident management lead.
What are the consequences of not implementing ISO 27001 Collection of Evidence?
The main consequence is that any evidence that you collect will not be usable in either legal proceedings or in any disciplinary action.
What are examples of a violation of ISO 27001 Collection of Evidence?
Someone who is not trained or qualified collecting evidence in an unstructured way and a way that does not meet the requirements of relevant laws and regulations, thus making it unusable.
What will an auditor check for ISO 27001:2022 Annex A 5.28?
The audit is going to check a number of areas. Lets go through the main ones
1. That you have documented your collection of evidence process
The audit will check the documentation, that you have reviewed it and signed and it off and that it represents what you actually do not what you think they want to hear.
2. That you can demonstrate the process working
They are going to ask you for evidence to the collection of evidence process and take at least one example. For this example you are going to show them and walk them through the process and prove that you followed it and that the process worked.
3. That you can learn your lesson
Documenting your lessons learnt and following this through to continual improvements or incident and corrective actions will be checked.
Where can I get help with ISO 27001 Collection of Evidence?
You can arrange a free 30 minute ISO 27001 strategy call to get the help with ISO 27001:2022 Annex A 5.28.
ISO 27001 Collection of Evidence FAQ
ISO 27001:2022 Annex A 5.28 is a control that requires organisations to collect evidence from information security management incidents in a way that it is admissible as part of legal proceedings or disciplinary action.
The most common types of information security incident evidence are
1. Emails
2. Electronic communications
3. System and application logs
4. Printouts or physical media
5. System and Application Reports
6. User activity logs
7. System activity logs
Yes. It is required for ISO 27001.
ISO 27001:2022 Annex A 5.28 Sample PDF: https://hightable.io/product/iso-27001-templates-toolkit/
ISO 27001:2022 templates for Annex A 5.28 are located here: https://hightable.io/product/iso-27001-templates-toolkit/
ISO 27001:2022 Annex A 5.28 is not hard.
ISO 27001:2022 Annex A 5.28 will take approximately 1 day to complete if you are starting from nothing and doing it yourself.
There are templates for ISO 27001:2022 Annex A 5.28 located here: https://hightable.io/product/iso-27001-policy-template-bundle/
Typically they are:
Incident Manager: Managing and coordinating the incident
Incident Response Team: the people responding to the incident
The Legal Team: providing legal advice
The Information Security Team: maintaining the confidentiality, integrity and availability of data.
Communications Team: keeping interested parties appropriately informed
Yes, there is an online ISO 27001 at ISO 27001 Online.
Matrix of ISO 27001:2022 Controls and ISO 27001:2022 Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
| Corrective | Confidentiality | Detect | Information Security Event Management | Defence |
| Integrity | Respond | |||
| Availability |