What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 5.28

If you have ever been involved in a security breach or a legal dispute involving digital data, you know that having “some information” is not the same as having “admissible evidence.” In the shift from ISO 27001:2013 to the 2022 update, the standard has placed a much clearer spotlight on how we handle the trail of digital breadcrumbs left behind after an incident. This brings us to Annex A 5.28: Collection of Evidence.

While the requirement to preserve evidence existed in the older standard, the 2022 version has undergone a structural and qualitative transformation. Let’s look at what has truly changed and why your approach to digital forensics needs a refresh.

From A.16.1.7 to Annex A 5.28: A New Organizational Focus

In the 2013 version of ISO 27001, the collection of evidence was tucked away at the very end of the Incident Management domain as A.16.1.7 (Collection of evidence). Because it was grouped with reactive incident controls, many organisations only thought about evidence after a disaster had already occurred.

The 2022 update has reclassified this as Annex A 5.28 and moved it into the “Organisational Controls” theme. This is a subtle but powerful shift. It means that evidence collection is no longer just a technical step in a recovery plan; it is a fundamental organisational process that must be planned for in advance. According to the compliance experts at Hightable.io, this change emphasizes that the procedures for gathering evidence must be ready to go before an event happens to ensure that the integrity of the data is never compromised.

Strengthening the “Chain of Custody”

One of the most significant changes in the 2022 version of Annex A 5.28 is the increased emphasis on the integrity and admissibility of evidence. In the 2013 version, the requirement was somewhat broad, asking organisations to “identify, collect, acquire and preserve” information.

The 2022 update goes deeper into the “how.” It aligns more closely with international standards for digital forensics (such as ISO/IEC 27037). As noted by Hightable.io, the new expectation is that your procedures must ensure a clear “chain of custody.” This means you need to be able to prove who touched the data, when they touched it, and that it hasn’t been altered since the moment it was collected. If you cannot prove the data is untampered, it is useless in a court of law or for a formal regulatory report.

Broader Scope: Internal vs. External Evidence

In the 2013 framework, evidence collection was often viewed through the lens of catching a “bad actor” or dealing with an external hack. The 2022 version of Annex A 5.28 acknowledges a much wider range of scenarios. You now need to consider evidence collection for:

• Internal Disciplinary Actions: Ensuring evidence of employee misconduct is gathered fairly and legally.
• Regulatory Reporting: Providing verifiable logs to bodies like the ICO or financial regulators.
• Contractual Disputes: Using system logs to prove whether a supplier met or failed their Service Level Agreements (SLAs).
• Commercial Litigation: Protecting the organization’s interests in legal battles that may have nothing to do with a “cyber attack.”

The Requirement for Forensic Competence

A major change in the implementation guidance for the 2022 standard is the focus on competence. Collecting digital evidence is a specialist skill; if an untrained IT admin simply “copies and pastes” a file, they may inadvertently change the metadata (like the “last modified” date), which can render the evidence inadmissible.

Annex A 5.28 now suggests that organizations should identify the people responsible for evidence collection and ensure they have the right tools and training. Hightable.io highlights that for many smaller organizations, this requirement is often met by having a pre-signed contract with an external digital forensics firm, ensuring that expert help is available the moment it is needed.

What Auditors Are Looking For in the 2022 Version

During a transition audit, the “evidence” for your evidence collection process has become more rigorous. Auditors will be looking for proof that you have planned for the worst-case scenario. This includes:

• Documented Forensic Procedures: A step-by-step guide on how to image a hard drive, export cloud logs, or secure a mobile device without destroying data.
• Chain of Custody Templates: Ready-to-use forms that track the movement and storage of evidence.
• Secure Storage Proof: Evidence that collected data is stored in a way that prevents unauthorized access or tampering (e.g., hashed files or write-once media).
• Alignment with Legislation: Documentation showing that your evidence collection methods comply with the laws of the jurisdictions you operate in.

Practical Impact: Modernizing Your Incident Toolkit

If you are moving from the 2013 version to the 2022 update, your Incident Response Plan needs a dedicated “Forensics” chapter. You should move away from ad-hoc data gathering and toward a structured “Evidence Lifecycle.”

Hightable.io suggests that a key part of this transition is “pre-computation.” This involves ensuring your systems are already configured to log the right information before an incident, as you cannot collect evidence that was never recorded in the first place.

Why This Change Matters for Your Business

The transition from ISO 27001:2013 to the 2022 version of Annex A 5.28 reflects a world that is increasingly litigious and regulated. By treating evidence collection as a core organizational control, the standard helps you protect your organization from more than just hackers, it protects you from the legal and reputational fallout that follows a lack of proof.

For organizations looking to bridge the gap between the old 2013 reactive stance and the new 2022 proactive requirement, using the evidence collection checklists and chain of custody templates at Hightable.io can help you ensure that when you need to prove what happened, you have the data to back it up.