A.5.28 — Collection of Evidence

An employee copies confidential client data to a personal USB drive. IT discovers the activity in the access logs, but the logs are overwritten before anyone thinks to preserve them. When the case reaches the employment tribunal, the organisation has no admissible evidence. A.5.28 requires procedures that prevent this situation — ensuring evidence is identified, collected and preserved in a forensically sound manner.

Evidence collection bridges the gap between incident response and accountability. Whether the goal is internal disciplinary action, regulatory reporting or criminal prosecution, the evidence must be collected systematically and its integrity must be demonstrable.

What does the standard require?

Define evidence procedures. The organisation must establish procedures for the identification, collection, acquisition and preservation of evidence related to information security incidents.
Ensure admissibility. Evidence must be collected in a way that meets the requirements of relevant jurisdictions — different legal systems have different standards for admissibility.
Maintain chain of custody. Every transfer of evidence between persons or systems is documented, creating an unbroken record from collection to presentation.
Protect evidence integrity. Use write-blockers for disk imaging, hash values for integrity verification and secure storage for physical and digital evidence.
Involve qualified personnel. Staff who collect and handle evidence must be trained. For complex cases, certified forensic specialists should be engaged.

In practice

Create a forensic readiness plan. Define in advance what types of evidence your systems can produce (logs, disk images, network captures, CCTV footage), where they are stored, how long they are retained and who is authorised to collect them. This preparation saves critical time during an active incident.

Secure volatile evidence first. RAM contents, running processes and active network connections are lost when a system is powered off. If volatile evidence is relevant, capture it before any other action. Document the acquisition time and method.

Use validated forensic tools. Commercial and open-source forensic tools (EnCase, FTK, Autopsy) provide write-blocking, imaging and hashing capabilities. Use tools whose output is accepted by courts in your jurisdiction. Maintain a forensic toolkit that is tested and ready to deploy.

Establish secure evidence storage. Physical evidence goes into tamper-evident bags or locked cabinets with access logs. Digital evidence is stored on dedicated, access-controlled media with integrity monitoring. Both require documented access restrictions.

Typical audit evidence

Auditors typically expect the following evidence for A.5.28:

Evidence collection procedure — documented, approved and covering digital and physical evidence
Chain-of-custody records — forms or logs showing who handled each piece of evidence and when
Forensic tool inventory — list of tools used, their versions and validation status
Hash verification records — evidence that integrity checks were performed at collection and at each transfer
Training records — evidence that staff involved in evidence collection have received appropriate training

KPI

% of IS incidents with properly collected and preserved evidence

This KPI measures forensic readiness. Track the percentage of incidents where evidence was collected following the documented procedure, with complete chain-of-custody records and verified integrity. Target: 100% for incidents classified as high or critical.

Supplementary KPIs:

Time from incident detection to evidence preservation (target varies by evidence type)
Percentage of evidence collections with complete chain-of-custody documentation
Number of trained forensic responders available on-call

BSI IT-Grundschutz

A.5.28 maps to the BSI requirements for forensic investigation:

DER.2.2 (Forensic investigation) — covers the collection, analysis and documentation of digital evidence, including requirements for qualified personnel, validated tools and chain-of-custody procedures.

A.5.28 supports the incident management lifecycle with forensic capabilities:

A.5.26 — Response to incidents: Evidence collection is a key activity during incident response.
A.5.27 — Learning from incidents: Forensic evidence supports thorough root-cause analysis.
A.5.29 — IS during disruption: Evidence may need to be preserved even during business continuity scenarios.
A.5.30 — ICT readiness: Continuity plans should account for forensic evidence preservation.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.28 — Collection of evidence
ISO/IEC 27002:2022 Section 5.28 — Implementation guidance
BSI IT-Grundschutz, DER.2.2 — Forensic investigation

Frequently asked questions

What is a chain of custody?

A documented record of every person who handled a piece of evidence, when they handled it, and what they did with it. The chain of custody demonstrates that evidence has not been tampered with between collection and its use in legal proceedings or disciplinary actions.

Can regular IT staff collect digital evidence?

For initial preservation steps (creating disk images, securing logs), trained internal staff can handle the process if they follow documented procedures. For complex forensic analysis or cases likely to go to court, engage certified forensic specialists. The critical factor is following a validated procedure and maintaining the chain of custody.

How long should evidence be retained?

Retention depends on the type of incident and applicable legal requirements. For incidents involving potential criminal prosecution, evidence may need to be retained for years. For internal disciplinary cases, retention aligns with employment law timelines. Define retention periods in your evidence management procedure and review them with legal counsel.

Responsible	IT Security Officer
Accountable	Information Security Officer / (C)ISO
Consulted	Head of IT, Legal Counsel
Informed	Information Security Officer / (C)ISO