Ensure Integrity of Evidence in Investigations
Investigators ensure evidence stays intact during investigations by documenting actions and following legal guidelines.
Plain language
When you're investigating something like a cyber incident, it's crucial that any evidence you gather stays exactly as it was found. If this evidence gets tampered with, even accidentally, it can weaken your case or make it inadmissible if legal action is needed. Think of it as making sure no one moves or messes with anything at a crime scene until the investigation is complete.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security incidentsOfficial control statement
The integrity of evidence gathered during an investigation is maintained by investigators: - recording all of their actions - maintaining a proper chain of custody - following all instructions provided by relevant law enforcement agencies.
Why it matters
Compromised evidence can sabotage investigations, leading to failed legal actions and damaged organisational reputation.
Operational notes
Train investigators on evidence handling, chain of custody and action logging; use tamper-evident storage and follow any law enforcement instructions.
Implementation tips
- The IT department should be responsible for setting up a system to log every action taken during an investigation. This means maintaining detailed notes or logs on who accessed what data and when, ensuring there is a clear trail of actions.
- The investigation leader should establish a chain of custody for all evidence. This means documenting when evidence is collected, who it is handed off to, and any changes in its location. By using a simple form or a digital system, everyone involved knows exactly who has handled each piece of evidence.
- Managers should ensure all staff involved in handling evidence are trained according to legal guidelines. This involves organising regular training sessions that cover proper handling procedures, so they are up to date with the latest legal requirements.
- HR should add the knowledge of maintaining evidence integrity as part of onboarding for new team members involved in investigations. This can be done by including a module in induction training that explains the importance of proper evidence handling.
- The legal team should provide guidance on the instructions from relevant law enforcement agencies when evidence is involved. They should compile an easily accessible checklist to assist staff in following these legal guidelines during investigations.
Audit / evidence tips
- AskThe investigation log: Request to see the logs that record all actions taken during an investigation GoodWill show timestamps and details for each step recorded in a secure and uneditable manner
- AskThe chain of custody records: Review the forms or digital records used to track evidence handling
- AskThem to explain the steps they take and why they are important GoodIs when staff clearly outline the procedures and understand their purpose
- GoodSession will include interactive elements and provide real-world examples
- AskDocuments or checklists from the legal department that provide guidelines on handling evidence GoodDocument will be easily understandable and closely aligned with current legal standards
Cross-framework mappings
How ISM-0138 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.28 | ISM-0138 requires investigators to preserve the integrity of investigation evidence by recording actions, maintaining chain of custody, a... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.5 | ISM-0138 mandates that investigators maintain evidence integrity and follow instructions from law enforcement | |
| Annex A 5.26 | ISM-0138 ensures evidence integrity through documented actions and chain of custody in line with law enforcement directions | |
| Annex A 8.15 | ISM-0138 mandates evidentiary integrity through documentation of actions and chain of custody | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-AH-ML2.13 | E8-AH-ML2.13 requires protecting event logs from unauthorised modification and deletion, helping ensure logs can be relied on during inci... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.