What is the primary requirement of Annex A 5.28?

The primary requirement is to establish a documented process for identifying and preserving digital evidence. This ensures information remains admissible in legal or disciplinary proceedings. Organisations must integrate these protocols into existing internal systems like SharePoint or Jira.

How should evidence be stored in ISO 27001?

Evidence must be stored in restricted repositories that ensure integrity. Use internal document management systems with immutable audit logs. This proves the data remained unchanged from collection to presentation. Avoid using third-party compliance platforms for raw evidence storage.

Does Annex A 5.28 require specialized forensic software?

No specialized software is mandatory for compliance. The focus is on the documented procedure and chain of custody. Most organisations achieve this through robust configuration of existing IT tools and internal procedural oversight. Process integrity is more valuable than expensive software.

ISO 27001:2022 Annex A 5.28 Guide

What is ISO 27001 Annex A 5.28 in ISO 27001?

ISO 27001 Annex A 5.28 is a documented procedure for the collection of digital evidence. It ensures that organisations preserve information following a security incident. The process must integrate into business-as-usual tools like SharePoint. This preserves the integrity and admissibility of data for potential legal actions.

Auditor’s Eye: The Shortcut Trap

Reliance on automated SaaS compliance platforms often creates a dangerous disconnect. These platforms show a “green tick” for evidence collection without verifying the actual forensic process. Auditors frequently find that staff cannot explain the chain of custody. We prefer seeing evidence within your native document repositories. Internal SharePoint versioning and Jira audit logs provide far better proof of oversight. Automated tools cannot replace human accountability in a forensic context. If your team cannot manually demonstrate evidence integrity, you are not compliant.

2013 Control Reference	2022 Control Reference	Changes in ISO 27001:2022
16.1.7 Collection of evidence	5.28 Collection of evidence	The control is now a standalone administrative requirement. It emphasizes the need for consistent evidence handling across all incident types.

How to Implement ISO 27001 Annex A 5.28 (Step-by-Step)

Implementation starts by defining how your team identifies and captures digital data. Use existing organizational tools to document every action taken during an incident. This approach makes security a natural part of your technical operations. It avoids the need for external compliance software.

Define Evidence Types: Identify what constitutes evidence in your environment. Store this list in your internal wiki.
Document the Procedure: Write a clear evidence handling policy. Save it in SharePoint with strict version controls.
Integrate with Ticketing: Use Jira to track the movement of evidence. Assign tasks to specific individuals to maintain accountability.
Log Chain of Custody: Record who handled the data and when. Use a template that requires manual verification.
Train the Team: Conduct internal workshops on forensic principles. Use your own systems to demonstrate the process.

ISO 27001 Annex A 5.28 Audit Evidence Checklist

Internal policy documents outlining forensic collection standards.
Chain of custody forms signed by IT staff and management.
Version histories of evidence logs maintained in SharePoint.
Internal audit reports reviewing the effectiveness of incident response.
System configuration logs showing restricted access to evidence folders.

Relational Mapping

Clause 10.1: Continuous improvement of the evidence process.
Annex A 5.24: Incident management planning.
Annex A 5.26: Response to information security incidents.
Annex A 5.27: Learning from security events.

Auditor Interview

Auditor: How do you ensure digital evidence remains untampered?

Manager: We calculate hash values at the point of capture. We record these values in our restricted Jira tickets.

Auditor: Where do you store your chain of custody logs?

Manager: They reside in a locked SharePoint folder. Only the Security Manager and Legal Counsel have access.

Common Non-Conformities

Non-Conformity Type	Auditor Observation	Remediation Strategy
Automated Complacency	User depends on a SaaS tool but lacks an internal manual procedure.	Document the process within SharePoint and conduct manual drills.
Broken Chain of Custody	Evidence was handled by multiple staff without a recorded log.	Implement a strict sign-off process within the incident response workflow.
Lack of Integrity Proof	Files were moved without recording initial hash values.	Update the collection procedure to require hashing at the source.

Frequently Asked Questions

How does ISO 27001 define evidence collection?

ISO 27001 defines it as a set of procedures to identify and preserve digital information. This data must support internal investigations or legal requirements. You should manage this through your internal document management system. Documentation must prove the data has not been modified since collection.

Can we store evidence in the cloud?

Yes, provided you control the access and integrity. Use restricted SharePoint libraries or AWS S3 buckets with object locking. You must document these controls in your forensic procedure. Avoid generic cloud storage that lacks detailed access auditing. Ensure your internal team manages the encryption keys.

What is the most common audit failure for 5.28?

The most common failure is a lack of procedural evidence. Many firms assume their IT team “just knows” how to collect data. Auditors require a written, approved procedure within your BMS. Without this, the collection is considered ad-hoc. This leads to a major non-conformity during the audit.

LA CASA DE CERTIFICACIÓN