The planned and careful process of gathering information after a security event. This is done to make sure the evidence is reliable and can be used to understand what happened. It is a key step for legal action or a thorough investigation.
Examples
- Cybercrime: After a hacker attack, an IT team follows a strict plan to save all computer logs, network data, and disk images. This evidence might be used later in court.
- Malware infection: A company finds a virus on an employee’s computer. They use a special tool to make a perfect copy of the computer’s hard drive. This copy serves as evidence for an investigation.
Context
Collecting evidence is a crucial part of a security incident response. It ensures that the information is not changed or corrupted. Without this care, it would be hard to figure out who was responsible or how to stop it from happening again. This process is important for legal cases, company investigations, and improving future security.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to collection of evidence:
- ISO 27001:2022 Annex A 5.26 Response To Information Security Incidents: This is the main control that includes the steps for managing security events, with evidence collection being a central part.
- ISO 27001:2022 Annex A 5.28 Collection Of Evidence: This control specifically requires an organisation to have a plan for collecting and saving evidence.
- ISO 27001:2022 Annex A 6.4: Disciplinary Process: This control supports the use of evidence for actions against employees who have violated security rules.
- ISO 27001:2022 Annex A 5.5 Contact With Authorities: This control is related because the evidence collected may need to be shared with police or other legal authorities.
