The basics
ISO 27001 control A.5.28 Collection of evidence requires companies to properly manage information related to information security incidents, in order to preserve it so that it can be used as legal evidence.
Documentation
ISO 27001 control A.5.27 Learning from information security incidents can be documented:
- for smaller and mid-size companies by writing an Incident Management Procedure
- for larger companies by writing a Procedure for Evidence Collection
These procedures are not mandatory documents but are recommended for all companies.
Implementation
In order to comply with control A.5.28 Collection of evidence you might implement the following:
- Technology — the technology to collect evidence could include software and hardware. Companies of all sizes need to plan how to collect and preserve evidence (e.g., by segregating and sealing devices, creating mirrored backup copies, etc.), based on the identification of legal requirements for information preservation.
- Organization/processes — you should set up a process for the identification, collection, acquisition, and preservation of information, so they can be admitted into legal actions. You can document those processes through Incident Management Procedure, or Procedure for Evidence Collection.
- People — make employees aware of why the preservation of evidence integrity is needed, and train them on how to properly collect evidence.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.28 Collection of evidence: if evidence related to information security incidents is collected.
