Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 and the Collection of Evidence

Incident management is becoming increasingly important within information security as the realization that even the most effective defence in depth doesn’t always prevent a breach from happening.

The ISO27001 standard dedicates section A.16 of Annex A to a selection of seven controls designed to make incident management as good as it can be in the circumstances.  One of these controls, A.16.1.7, deals with the collection of evidence, stating that “The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.”

An excellent demonstration of the principles and tools involved in such Digital Forensics was given by Russ May,  a visiting Professor at Sunderland University in the UK at a meeting of the information security group ISACA.  Ken Holmes, CertiKit’s CEO and ISMS expert shares the four main principles.

Editor’s note: The original post was published in October 2015, and updates have been made in February 2022 for accuracy and comprehensiveness.

A specialist area

The first thing to say is that this is a very specialist area and things have to be done in a certain way otherwise the evidence will be inadmissible in court. In ISO27001 terms this means that your procedures need to acknowledge that and take the initial steps to secure the scene and avoid making any basic errors. As far the control goes, it is perfectly acceptable within ISO27001 to then call in a specialist organization who will take over from there. The investigation of the evidence should then take place under the control of your incident management procedures (Annex A – A.16.1.1 Responsibility and procedures), often led by your legal team.

So what should the first responders know about securing the scene before the specialists arrive? Well, there are 4 principles that are generally accepted as good practice to ensure that evidence stays admissible.

Principle 1

Don’t change any data. If anyone does anything that results in the data on the relevant system being altered in any way then this will affect any subsequent court case. Examples could be as simple as waking up a laptop or logging on. So think before you touch anything.

Principle 2

(Really one for the specialists, this) Only access the original data in exceptional circumstances. The first thing a specialist will do is use some tools to take a bit copy of any data held in memory, whether it’s on a hard disk, flash memory or maybe a SIM card on a phone. All analysis then takes place on the copy and the original is never touched unless maybe time is of the essence and gaining information to prevent a further crime is more important than keeping the evidence admissible (this is rare).

Principle 3

Always keep an audit trail of what has been done. Forensic tools will do this automatically but this also applies to the first people on the scene. Taking photographs and videos is encouraged as long as you don’t touch anything to do it.

Principle 4

The person in charge must ensure that the guidelines are followed. Few excuses are accepted in court so training staff to respond appropriately is a must.

Data is very persistent

Obviously digital evidence comes in an increasing variety of forms, with mobiles phones and tablets now taking over from laptops as the major focus of investigations in criminal cases. The sheer volume and level of detail that can be extracted from many of these devices is remarkable even after they have been theoretically wiped by reset routines. Professor May gave an example of a wiped Blackberry purchased second-hand on eBay which was gave up a treasure trove of information about who the previous owner was, where he lived and, through GPS records stored on the phone, even where he had been. The moral is that wiping doesn’t get rid of the data.

The main point of this from an ISO27001 angle is to ensure that your procedures for the disposal of mobile devices and removable media (Annex A.6.2.1 Mobile device policy and A.8.3.2 Disposal of media) are effective enough to ensure that this type of data doesn’t end up in the wrong hands. The only way to ensure this unfortunately is complete destruction but given the relative cost of modern devices against the value of your organization’s data and reputation, this has to be the way to go.

Our thanks to Professor May and ISACA for this valuable update.

How can CertiKit help with your ISO27001 certification?

At CertiKit, information security is at the heart of everything we do, and this is reflected in our team of experienced and qualified experts. Whatever assistance you require with your ISO27001 compliance, we can help.

From guidance via our award-winning toolkit, through to consultancy, and internal auditing, we have the tools and personnel available to streamline your ISMS implementation and prepare you for certification fast. Whatever stage you’re at, our products and services are available to ensure your management system conforms to the highest standards.

Learn more about ISO27001 with our free 10 step guide

Download our free ISO27001: 10 steps to certification guide to learn:

  1. Each step of the process from project planning to the certification audit
  2. Expert tips from the CertiKit team on best practise for easy implementation
  3. Key insights into building a successful ISMS

Download free 20-page guide

We’ve helped more than 4000 businesses with their compliance


The documents are excellent in covering a vast number of key areas in terms of ISO. I particularly like the layout and the comprehensive nature of the documents provided.

GTI Group

View all Testimonials