Seek Legal Advice for Intrusion Evidence Collection
Before collecting evidence of cyber intrusions, get legal advice.
Plain language
If your computer systems get hacked, it's important to act carefully when collecting evidence. You should ask a lawyer for advice before gathering any data about the intrusion. This is crucial because doing it wrong could lead to legal trouble or not being able to use the evidence later to catch the culprit.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence.
Why it matters
Without legal guidance, improper evidence collection can result in inadmissible data, jeopardising legal action against attackers.
Operational notes
Seek legal advice before letting suspected intrusion continue to gather evidence, and document approvals and scope.
Implementation tips
- Business owners or managers should contact a legal professional: Before taking any steps when a cyber intrusion is suspected, reach out to a lawyer who understands technology-related legal issues. This helps ensure that any evidence you collect can be used later on if needed.
- IT managers should prepare a list of legal contacts: Keep an up-to-date list of lawyers or legal firms that specialise in cyber security. Make sure this list is easily accessible to all relevant personnel to avoid delays during an incident.
- Designate a response team: Appoint a small group responsible for handling intrusions and ensure they are briefed about seeking legal advice first. Provide them with training on the importance of legal considerations in evidence collection.
- Develop an incident response checklist: Include a step that says 'Seek legal advice' as soon as you suspect a cyber intrusion. Train your staff to follow this checklist so they automatically think about legal counsel at the right time.
- Communicate with staff about legal procedures: Hold a company-wide meeting or send out a memo to explain why seeking legal advice is necessary when dealing with a cyber intrusion. Clarify that this step helps protect the organisation legally and practically.
Audit / evidence tips
- AskRecords of legal consultation during past incidents: Request documents or emails showing that legal advice was sought when handling previous intrusions GoodIs evidence showing a consultation before major incident-handling decisions were made
- AskThem to describe the procedure followed to seek legal advice during an intrusion. Listen for a clear process, including when and who they contact for legal support GoodIs a step-by-step explanation that matches documented procedures
- GoodPlan has clear legal consultation steps and a review date of no more than a year ago
- GoodDrill includes swift initiation of legal consultations without reminders
- AskTo see the training materials for incident response: Review these materials to confirm they cover the importance and process of seeking legal advice GoodSet of training materials is updated regularly and includes practical examples
Cross-framework mappings
How ISM-0137 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.28 | Annex A 5.28 requires the organisation to implement procedures for identifying, collecting and preserving evidence from information secur... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.24 | ISM-0137 requires legal advice to be sought before choosing to let intrusion activity continue to collect further data or evidence | |
| Annex A 5.26 | ISM-0137 requires organisations to seek legal advice before allowing an intrusion to continue for evidence collection purposes | |
| Annex A 5.31 | ISM-0137 requires organisations to seek legal advice before permitting continued intrusion activity to gather evidence, explicitly addres... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.