The chain of custody is the complete documentation of the possession history of evidence — from collection through storage to presentation in court or an audit. Every transfer of possession is recorded.
In an ISMS context, ISO 27001 Annex A control A.5.28 (Collection of Evidence) requires maintaining evidence integrity. An intact chain of custody ensures that digital evidence (log files, disk images, memory dumps) is considered credible in court or internal investigations. Requirements include forensic copies rather than originals, cryptographic hash values for integrity verification, access logs for storage locations, and named responsible persons for each handover. Without a documented chain of custody, evidence can be challenged.