System Guides

A.5.28 "Collection of Evidence" would include:

1. Evidence Collection Procedures: Documentation outlining the procedures and guidelines for collecting evidence related to information security incidents or events.

2. Chain of Custody: Documentation demonstrating the establishment and maintenance of a chain of custody for collected evidence, ensuring its integrity and authenticity.

3. Documentation of Collection Process: Records detailing how evidence is collected, preserved, and transported to ensure its reliability and admissibility.

4. Tools and Techniques: Documentation of the tools, software, and techniques used to collect digital and physical evidence, ensuring their appropriateness and effectiveness.

5. Forensic Imaging: Proof of the use of forensic imaging techniques to create exact copies of digital evidence to avoid altering or damaging the original data.

6. Data Integrity Checks: Records of measures taken to ensure the integrity of collected data during the collection process, such as checksums and hash values.

7. Timestamping: Documentation of the use of accurate and synchronized time sources to establish the timing of events during evidence collection.

8. Documentation of Chain of Custody: Detailed documentation of the custody of evidence, including who collected it, where it was stored, and who had access to it.

9. Witnesses and Signatures: Records of witnesses and their signatures attesting to the collection, preservation, and transfer of evidence.

10. Digital Signatures: Evidence of the use of digital signatures or cryptographic techniques to ensure the authenticity and integrity of digital evidence.

11. Documentation of Physical Evidence Handling: Documentation of procedures for handling physical evidence, including proper packaging, labeling, and protection from tampering.

12. Data Privacy and Legal Requirements: Proof of compliance with data privacy laws, regulations, and legal requirements when collecting evidence, especially when personal data is involved.

13. Documentation of Collection Locations: Records indicating where evidence was collected from, including physical locations, systems, devices, and network segments.

14. Documentation of Personnel Involved: Details of personnel involved in evidence collection, including their roles, responsibilities, and qualifications.

15. Documentation of Permissions: Records of permissions obtained, or authorizations granted before collecting evidence, especially in cases involving personal data or private systems.

16. Adherence to Incident Response Plan: Documentation showing evidence collection steps as part of an organization's incident response plan.

17. Cross-Referencing Evidence: Records of cross-referencing collected evidence with incident reports, logs, and other relevant documentation.

18. Documentation of Preservation Methods: Proof of how collected evidence is preserved to ensure it remains unchanged and admissible for analysis and potential legal proceedings.

19. Documentation of Preservation Duration: Records specifying how long evidence needs to be preserved, considering regulatory, legal, and business requirements.

20. Documentation of Handover: Records demonstrating the proper handover of evidence to relevant parties, such as law enforcement or legal authorities, when necessary.

Collecting and preserving evidence accurately and according to established procedures is crucial for maintaining the integrity and credibility of investigations, audits, and legal proceedings. By reviewing these pieces of evidence, an auditor can assess whether the organization has established effective evidence collection processes that adhere to best practices and legal requirements.