Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 and the Collection of Evidence

Incident management is becoming increasingly important within information security as the realization that even the most effective defence in depth doesn’t always prevent a breach from happening.

The ISO27001 standard in its 2022 update dedicates five or so controls in Annex A to making incident management as good as it can be in the circumstances.  One of these controls, A.5.28, deals with the collection of evidence, stating that “The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.”

An excellent demonstration of the principles and tools involved in such Digital Forensics was given by Russ May,  a visiting Professor at Sunderland University in the UK at a meeting of the information security group ISACA.  Ken Holmes, CertiKit’s CEO and ISMS expert shares the four main principles.

Editor’s note: The original post was published in October 2015, and updates have been made in November 22 to reflect the 2022 standard. 

A specialist area

The first thing to say is that this is a very specialist area and things have to be done in a certain way otherwise the evidence will be inadmissible in court. In ISO27001 terms this means that your procedures need to acknowledge that and take the initial steps to secure the scene and avoid making any basic errors. As far the control goes, it is perfectly acceptable within ISO27001 to then call in a specialist organization who will take over from there. The investigation of the evidence should then take place under the control of your incident management procedures (Annex A – A.5.26 Response to information security incidents), often led by your legal team.

So what should the first responders know about securing the scene before the specialists arrive? Well, there are 4 principles that are generally accepted as good practice to ensure that evidence stays admissible.

Principle 1

Don’t change any data. If anyone does anything that results in the data on the relevant system being altered in any way then this will affect any subsequent court case. Examples could be as simple as waking up a laptop or logging on. So think before you touch anything.

Principle 2

(Really one for the specialists, this) Only access the original data in exceptional circumstances. The first thing a specialist will do is use some tools to take a bit copy of any data held in memory, whether it’s on a hard disk, flash memory or maybe a SIM card on a phone. All analysis then takes place on the copy and the original is never touched unless maybe time is of the essence and gaining information to prevent a further crime is more important than keeping the evidence admissible (this is rare).

Principle 3

Always keep an audit trail of what has been done. Forensic tools will do this automatically but this also applies to the first people on the scene. Taking photographs and videos is encouraged as long as you don’t touch anything to do it.

Principle 4

The person in charge must ensure that the guidelines are followed. Few excuses are accepted in court so training staff to respond appropriately is a must.

Data is very persistent

Obviously digital evidence comes in an increasing variety of forms, with mobiles phones and tablets now taking over from laptops as the major focus of investigations in criminal cases. The sheer volume and level of detail that can be extracted from many of these devices is remarkable even after they have been theoretically wiped by reset routines. Professor May gave an example of a wiped Blackberry purchased second-hand on eBay which was gave up a treasure trove of information about who the previous owner was, where he lived and, through GPS records stored on the phone, even where he had been. The moral is that wiping doesn’t get rid of the data.

The main point of this from an ISO27001 angle is to ensure that your procedures for the disposal of mobile devices and removable media (Annex A.8.1 User endpoint devices and A.7.14 Secure disposal or re-use of equipment) are effective enough to ensure that this type of data doesn’t end up in the wrong hands. The only way to ensure this unfortunately is complete destruction but given the relative cost of modern devices against the value of your organization’s data and reputation, this has to be the way to go.

Our thanks to Professor May and ISACA for this valuable update.


More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

I am very pleased to have found you and would like to say thanks for the toolkit, it made my life so much easier.

RFIB Group Ltd
UK

View all Testimonials