Introduction: Why Your AI Company Can’t Afford to Ignore Evidence Collection
In the fast-paced world of artificial intelligence, the primary focus is on innovation – building breakthrough models, securing new funding, and capturing market share. However, this focus on growth can obscure a critical vulnerability: a single information security incident can trigger significant legal, financial, and disciplinary consequences that threaten the entire business. When an incident occurs, your ability to respond effectively depends entirely on the quality of your evidence.
This is the core of ISO 27001 Annex A 5.28 Collection of evidence, a control that requires your organization to “identify, collect, acquire and preserve evidence related to information security incidents.” Without a formal, repeatable process for this, you are left defenceless when you need to support legal proceedings or internal disciplinary actions.
This guide will explain what Annex A 5.28 means in the context of a modern AI company, outline the practical steps you can take to achieve compliance, and demonstrate how the High Table toolkit provides a clear path to building an audit-ready framework.
Table of contents
- Introduction: Why Your AI Company Can’t Afford to Ignore Evidence Collection
- The Unique Risks: Applying Annex A 5.28 to Your AI Workflows
- Your Compliance Blueprint: Four Steps to Mastering Evidence Collection
- The High Table Solution: Audit-Ready Policies Without the Hassle
- Conclusion: Build a Defensible Position for Your AI Business
The Unique Risks: Applying Annex A 5.28 to Your AI Workflows
For an AI business, the strategic importance of this control cannot be overstated. “Evidence” is not limited to standard IT logs from a firewall or web server. It extends to the very core of your operations and intellectual property – the data, code, and infrastructure that power your algorithms. Proper evidence collection is vital for protecting the business during legal or disciplinary proceedings, where the integrity of your proprietary technology could be called into question.
Unlike traditional IT assets, your core intellectual property – such as a trained model’s state or a proprietary dataset – is intangible and ephemeral. Without a specific, forensically-sound process, definitive evidence of its compromise or theft can be irrevocably lost. For an AI company, a specialised evidence collection plan is a matter of business survival, not just compliance.
The purpose of Annex A 5.28 is “to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.” This means that when an incident happens, you must have a defensible and verifiable record of what occurred. For an AI company, this evidence can take many forms:
- Audit trails of proprietary models: This includes immutable logs demonstrating unauthorized access to proprietary model weights and hyperparameters, which are among your most valuable and secret assets.
- MLOps pipeline and data logs: Logs from your MLOps pipelines are critical evidence to prove or disprove a model poisoning or data contamination attack, protecting the integrity of your core products.
- Algorithmic investigation records: Communication records, code commits, and model behaviour logs are essential evidence for any investigation into algorithmic bias or unintended model outputs, which carry significant reputational and legal risk.
- Training data provenance records: Verifiable records proving the provenance and licensing of training data are critical evidence in an intellectual property dispute, which are becoming increasingly common in the AI industry.
Without this formal process, an investigation is compromised before it begins, leaving your business exposed. The following blueprint outlines how to construct a defensible one.
Your Compliance Blueprint: Four Steps to Mastering Evidence Collection
Achieving compliance with Annex A 5.28 is not about creating unnecessary bureaucracy. Your objective is to engineer a resilient, legally-defensible process that functions under duress. By following a structured approach, you can ensure your evidence is reliable, admissible, and ready for scrutiny.
Understand the Legal and Regulatory Landscape
The first step is to gain a clear understanding of the different laws and jurisdictions that apply to your business. This is crucial because legal and regulatory requirements dictate exactly how evidence must be handled to be admissible in court or other formal proceedings. Digital evidence often spans national boundaries, and what is acceptable in one jurisdiction may not be in another.
Document Your Collection of Evidence Policy
A common and critical mistake is “not having a documented collection of evidence process and policy.” This documented policy is the singular source of truth for your evidence handling protocol. It provides a clear, consistent framework that guides your team on how to identify, gather, and preserve evidence. To an auditor, an undocumented process is an uncontrolled one.
Establish Your Process (and Get Professional Help)
Your process must detail the specific procedures for the identification, collection, acquisition, and preservation of evidence. However, the best practice recommended by auditors is to “have a procedure that calls in the professionals to do the work.” The collection of evidence is a highly sensitive and technical task. Using trained, qualified, and certified personnel – whether internal experts or external specialists – minimises the risk of making critical mistakes that could render evidence useless or inadmissible.
Integrate with Your Incident Management Framework
This process cannot exist in a vacuum. It must be a core component of your overall Information Security Incident Management framework. The evidence collection procedure should be triggered as soon as it becomes clear that evidence may be required for legal or disciplinary reasons. This integration ensures that evidence preservation is considered from the earliest moments of an incident, not as an afterthought. This integrated framework is non-negotiable for compliance, but building it correctly requires significant legal and procedural expertise.
The High Table Solution: Audit-Ready Policies Without the Hassle
Attempting to architect a legally-sound evidence collection framework from scratch introduces unacceptable risk and drains engineering resources. It requires deep expertise in both ISO 27001 and the legal nuances of evidence handling. The strategic path is to adopt a proven, auditor-vetted foundation.
The High Table ISO 27001 Toolkit provides the necessary templates to meet the requirements of Annex A 5.28. A vital resource for this control is a topic-specific policy covering the collection of evidence, and our toolkit includes a professionally crafted template designed to meet auditor expectations.
Using a professionally developed template is a superior approach. It helps you avoid the most common audit failure for this control: having no documented process at all. Furthermore, it ensures your methodology is aligned with best practices, saving you valuable time and resources while significantly reducing your audit risk. High Table provides the foundational documents you need to build a compliant and resilient evidence management program.
Own Your ISMS, Don’t Rent It
Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit
Conclusion: Build a Defensible Position for Your AI Business
In the event of a critical security incident, ad-hoc evidence collection will fail under legal and regulatory scrutiny. A process that cannot be defended is a liability, not an asset. For an innovative AI company, the stakes – ranging from compromised legal standing to catastrophic reputational damage – are simply too high.
By implementing a formal process based on professionally developed policies – like those included in the High Table ISO 27001 Toolkit – you can build a defensible and audit-ready position. This allows you to protect your organization, ensure compliance with international standards, and maintain your focus on driving innovation with confidence.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
