Procedures for Collecting and Preserving Evidence
Set up clear steps to gather and maintain evidence of security incidents securely.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Detective
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure your organisation has clear steps to collect and keep evidence when a security incident happens, like a data breach. If you don't do this, you might lose important information that could help solve the problem or even use in court if needed.
Why it matters
Without documented evidence handling (chain of custody), incident artefacts may be altered, lost, or rejected in legal or disciplinary action.
Operational notes
Maintain evidence procedures: identify sources, collect and label artefacts, record chain of custody, use write-blocking, and store securely with integrity checks.
Implementation tips
- The IT manager should create detailed procedures for handling evidence from security incidents. This means having a clear plan on how to gather and protect data such as logs and emails, ensuring they can't be tampered with. Use tools certified in line with Australian standards to collect this data reliably.
- HR should be involved in training selected staff on the proper procedures for collecting and preserving evidence. This involves organising sessions where they learn about identifying important data and legal considerations involved in maintaining its integrity. Include insights from OAIC and the Privacy Act 1988 in the training materials.
- The legal team should review the evidence handling procedures to ensure compliance with relevant laws. This entails checking that the methods used to gather and store evidence are admissible in court. They should reference ISO standards and Australian legal requirements during the review process.
- Senior management should ensure that the roles and responsibilities for evidence collection are clearly defined. This involves assigning specific people to manage the data during an incident. Confirm these are documented, like in your documentation for CPS 234 compliance.
- Procurement should ensure that the tools and systems used for collecting evidence meet the necessary standards. This means selecting software and hardware capable of securely handling data. Consult the ASD Essential Eight to guide choices in secure technological solutions.
Audit / evidence tips
-
Ask: the organisation's procedures for evidence collection and preservation
Good: comprehensive instructions that cover all aspects from collection to storage, referencing ISO 27002 and relevant Australian laws
-
Ask: a demonstration of the tools used for data collection during incidents
-
Good: up-to-date attendance records and training content aligned with best practices and legal requirements
-
Ask: documentation showing the roles and responsibilities assigned for incident response. Examine the clarity and specificity of those roles regarding evidence handling. Good is when documentation shows clear understanding and allocation of duties among staff
Cross-framework mappings
How Annex A 5.28 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| Supports (4) | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (6) | ||
| ISM-0043 | ISM-0043 requires incident response plans to include steps necessary to ensure the integrity of evidence relating to a cyber security inc... | |
| ISM-0137 | Annex A 5.28 requires the organisation to implement procedures for identifying, collecting and preserving evidence from information secur... | |
| ISM-0138 | ISM-0138 requires investigators to preserve the integrity of investigation evidence by recording actions, maintaining chain of custody, a... | |
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-1609 | ISM-1609 requires consulting system owners before allowing an intrusion to continue for evidence collection, while Annex A 5.28 focuses o... | |
| ISM-2051 | ISM-2051 requires event logs sufficient for cyber event detection | |
| Supports (22) | ||
| ISM-0585 | ISM-0585 requires log entries to include attribution and object/asset context (who/what, when, what file, what system, and a description) | |
| ISM-0660 | ISM-0660 requires organisations to fully verify data transfer logs for SECRET and TOP SECRET systems at least monthly to ensure integrity... | |
| ISM-0917 | ISM-0917 requires specific operational actions to contain and remediate a malicious code infection (isolation, scanning of media, removal... | |
| ISM-0988 | ISM-0988 requires an accurate and consistent time source for event logging so timelines derived from logs are defensible | |
| ISM-1019 | ISM-1019 focuses on developing a DoS response plan for specific services | |
| ISM-1537 | ISM-1537 requires organisations to centrally log security-relevant database events so that database activity can be reconstructed and rev... | |
| ISM-1566 | ISM-1566 requires central logging of unprivileged access to create an auditable record of user actions | |
| ISM-1618 | ISM-1618 requires that the CISO oversees the organisation’s response to cyber security incidents | |
| ISM-1623 | ISM-1623 requires centralised collection of detailed PowerShell activity logs (module, script block and transcription) | |
| ISM-1624 | ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality | |
| ISM-1625 | ISM-1625 requires the organisation to run an insider threat mitigation program, which typically includes investigative and response capab... | |
| ISM-1683 | ISM-1683 requires successful and unsuccessful MFA events to be centrally logged | |
| ISM-1731 | ISM-1731 requires remediation coordination to be performed on a separate system to reduce the risk that an attacker can observe, alter, o... | |
| ISM-1784 | ISM-1784 requires annual exercising of the cyber security incident response plan | |
| ISM-1805 | ISM-1805 requires a documented DoS response plan including how to identify the source of a DoS attack and what actions to take in respons... | |
| ISM-1819 | ISM-1819 requires the organisation to enact its cyber security incident response plan following identification of an incident | |
| ISM-1855 | ISM-1855 requires organisations to centrally log MFD activity and retain shadow copies, producing a detailed record of who used MFD funct... | |
| ISM-1964 | ISM-1964 requires security-relevant events for non-internet-facing network devices to be centrally logged | |
| ISM-1976 | ISM-1976 requires security-relevant events on macOS to be centrally logged, improving availability and consistency of audit trails | |
| ISM-1984 | ISM-1984 requires event logs to be encrypted in transit to a centralised logging facility, helping preserve the integrity and confidentia... | |
| ISM-1988 | ISM-1988 requires event logs to be retained in a searchable manner for at least 12 months | |
| ISM-2089 | ISM-2089 requires organisations to monitor AI model performance metrics and investigate anomalies | |