Blog ISO27001 and the Collection of Evidence

A specialist area

The first thing to say is that this is a very specialist area and things have to be done in a certain way otherwise the evidence will be inadmissible in court. In ISO27001 terms this means that your procedures need to acknowledge that and take the initial steps to secure the scene and avoid making any basic errors. As far the control goes, it is perfectly acceptable within ISO27001 to then call in a specialist organization who will take over from there. The investigation of the evidence should then take place under the control of your incident management procedures (Annex A – A.5.26 Response to information security incidents), often led by your legal team.

So what should the first responders know about securing the scene before the specialists arrive? Well, there are 4 principles that are generally accepted as good practice to ensure that evidence stays admissible.

Principle 1

Don’t change any data. If anyone does anything that results in the data on the relevant system being altered in any way then this will affect any subsequent court case. Examples could be as simple as waking up a laptop or logging on. So think before you touch anything.

Principle 2

(Really one for the specialists, this) Only access the original data in exceptional circumstances. The first thing a specialist will do is use some tools to take a bit copy of any data held in memory, whether it’s on a hard disk, flash memory or maybe a SIM card on a phone. All analysis then takes place on the copy and the original is never touched unless maybe time is of the essence and gaining information to prevent a further crime is more important than keeping the evidence admissible (this is rare).

Principle 3

Always keep an audit trail of what has been done. Forensic tools will do this automatically but this also applies to the first people on the scene. Taking photographs and videos is encouraged as long as you don’t touch anything to do it.

Principle 4

The person in charge must ensure that the guidelines are followed. Few excuses are accepted in court so training staff to respond appropriately is a must.

Data is very persistent

Obviously digital evidence comes in an increasing variety of forms, with mobiles phones and tablets now taking over from laptops as the major focus of investigations in criminal cases. The sheer volume and level of detail that can be extracted from many of these devices is remarkable even after they have been theoretically wiped by reset routines. Professor May gave an example of a wiped Blackberry purchased second-hand on eBay which was gave up a treasure trove of information about who the previous owner was, where he lived and, through GPS records stored on the phone, even where he had been. The moral is that wiping doesn’t get rid of the data.

The main point of this from an ISO27001 angle is to ensure that your procedures for the disposal of mobile devices and removable media (Annex A.8.1 User endpoint devices and A.7.14 Secure disposal or re-use of equipment) are effective enough to ensure that this type of data doesn’t end up in the wrong hands. The only way to ensure this unfortunately is complete destruction but given the relative cost of modern devices against the value of your organization’s data and reputation, this has to be the way to go.

Our thanks to Professor May and ISACA for this valuable update.

More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources