The order of volatility determines the sequence in which digital evidence should be collected — starting with the most volatile data. CPU registers and cache disappear in milliseconds, RAM contents are lost on power loss, while disk data is comparatively persistent. In an ISMS, the order of volatility is part of the forensic response procedure for security incidents. Ignoring it risks losing critical evidence. RFC 3227 describes the principle in detail.