This rule is about collection of evidence, which means a company must have a system to handle the the collection and management of evidence from information security events.
Table of contents
What is ISO 27001 Annex A 5.28?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Collection Of Evidence”.
What is the ISO 27001 Annex A 5.28 control objective?
The formal definition and control objective in the standard is: “The organisation should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.“
What is the purpose of ISO 27001 Annex A 5.28?
The purpose of ISO 27001 Annex A 5.28 is “To ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.“
Is ISO 27001 Annex A 5.28 Mandatory?
ISO 27001 Annex A control 5.28 (Collection Of Evidence in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.28 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
We recommend the simplest way for you to set up Annex A 5.28 is to have a procedure that tells you to call in experts to do the work.
This becomes part of your incident management process and should start right away. You need to begin this process as soon as you realise you might need to gather evidence for a legal or disciplinary case.
The best way to meet Annex A 5.28 is to have an Evidence Collection Policy and a clear process. This process should include contact details for an expert supplier that you have chosen and checked beforehand.
For more reading on security incident management, you can check out ISO/IEC 27035.
What ISO 27001 Requires You to Do
Since this control focuses on gathering proof for legal or work-related actions, your first step is to learn about the different laws and legal areas that affect your company. If you know what these laws need, you will understand the requirements and have a better chance of using your evidence successfully.
The control mainly requires you to have written processes and procedures that meet these laws. These clear steps must cover:
- Finding the evidence (Identification)
- Gathering the evidence (Collection)
- Getting the evidence (Acquisition)
- Keeping the evidence safe (Preservation)
Key Rules for Handling Evidence
When you set up these processes, you must make sure that:
- The evidence and records are complete and have not been changed in any way.
- Copies of electronic proof are exactly the same as the originals.
- The systems you took evidence from were working correctly when you collected the proof.
It is also highly recommended that any people involved in gathering and handling this evidence are trained, qualified, and certified to do this job correctly.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Documenting How You Collect Proof
You must have a written document that explains how you collect evidence for the audit. The auditor will check this document. Make sure you have reviewed and approved it. It must clearly show what you actually do, not just what you think the auditor wants to see.
2. Showing the Process Works
The auditor will ask you to show them proof that your evidence collection process works. They will pick at least one example. For this example, you will walk them through the steps and prove that you followed the process correctly and that it worked as planned.
3. Learning from Mistakes
The auditor will check that you record what you learned from past projects or problems. They will also look at how you used these lessons to make continual improvements or to fix issues (called corrective actions). This proves you are improving your systems over time.
