Skip to content
Control Stack logo Control Stack
ISM-0138 ASD Information Security Manual (ISM)

Ensure Integrity of Evidence in Investigations

Investigators ensure evidence stays intact during investigations by documenting actions and following legal guidelines.

Responsive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for cyber security incidentsaudit trailloggingregulatory

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Responsive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2023

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cyber security incidents

Section

Responding to cyber security incidents

Topic

Maintaining the Integrity of Evidence
Official control statement
The integrity of evidence gathered during an investigation is maintained by investigators: - recording all of their actions - maintaining a proper chain of custody - following all instructions provided by relevant law enforcement agencies.

Source: ASD Information Security Manual (ISM)

Plain language

When you're investigating something like a cyber incident, it's crucial that any evidence you gather stays exactly as it was found. If this evidence gets tampered with, even accidentally, it can weaken your case or make it inadmissible if legal action is needed. Think of it as making sure no one moves or messes with anything at a crime scene until the investigation is complete.

Why it matters

Compromised evidence can sabotage investigations, leading to failed legal actions and damaged organisational reputation.

Operational notes

Train investigators on evidence handling, chain of custody and action logging; use tamper-evident storage and follow any law enforcement instructions.

Implementation tips

  • The IT department should be responsible for setting up a system to log every action taken during an investigation. This means maintaining detailed notes or logs on who accessed what data and when, ensuring there is a clear trail of actions.
  • The investigation leader should establish a chain of custody for all evidence. This means documenting when evidence is collected, who it is handed off to, and any changes in its location. By using a simple form or a digital system, everyone involved knows exactly who has handled each piece of evidence.
  • Managers should ensure all staff involved in handling evidence are trained according to legal guidelines. This involves organising regular training sessions that cover proper handling procedures, so they are up to date with the latest legal requirements.
  • HR should add the knowledge of maintaining evidence integrity as part of onboarding for new team members involved in investigations. This can be done by including a module in induction training that explains the importance of proper evidence handling.
  • The legal team should provide guidance on the instructions from relevant law enforcement agencies when evidence is involved. They should compile an easily accessible checklist to assist staff in following these legal guidelines during investigations.

Audit / evidence tips

  • Ask: the investigation log: Request to see the logs that record all actions taken during an investigation

    Good: will show timestamps and details for each step recorded in a secure and uneditable manner

  • Ask: the chain of custody records: Review the forms or digital records used to track evidence handling

  • Ask: them to explain the steps they take and why they are important

    Good: is when staff clearly outline the procedures and understand their purpose

  • Good: session will include interactive elements and provide real-world examples

  • Ask: documents or checklists from the legal department that provide guidelines on handling evidence

    Good: document will be easily understandable and closely aligned with current legal standards

Cross-framework mappings

How ISM-0138 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially overlaps (1)
Annex A 5.28 ISM-0138 requires investigators to preserve the integrity of investigation evidence by recording actions, maintaining chain of custody, a...
Supports (3)
Annex A 5.5 ISM-0138 mandates that investigators maintain evidence integrity and follow instructions from law enforcement
Annex A 5.26 ISM-0138 ensures evidence integrity through documented actions and chain of custody in line with law enforcement directions
Annex A 8.15 ISM-0138 mandates evidentiary integrity through documentation of actions and chain of custody

E8

Control Notes Details
Supports (1)
E8-AH-ML2.13 E8-AH-ML2.13 requires protecting event logs from unauthorised modification and deletion, helping ensure logs can be relied on during inci...

Mapping detail

Mapping

Direction

Controls