
When an incident occurs there may be some obvious actions that need to be taken, but collection of evidence and how you do this isn’t always obvious. It’s also a process you won’t use everyday, at least we hope not! Collecting evidence is one of the steps you may take in understanding what happened, and learning from the incident. This is why you should not read this control in isolation.
We recommend that you also review the following controls which are relevant here;
A5.24 - Information security incident management planning and preparation.
A5.25 - Assessment and decision on information security events.
A5.27 - Learning from information security incidents.
A5.29 - Information security during disruption.
A5.30 - ICT Readiness for Business Continuity.
What does the standard require?
The standard states that “The organisation shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.” (A5.28 – Collection of Evidence).
As with other clauses, notice there is a requirement here for four aspects of evidence gathering, but there are two words which are used that have very different meanings.
Collection and acquisition
The collection of evidence refers to the gathering of evidence, while acquisition relates to the manner in which it is obtained.
To illustrate the difference, imagine you work at a library. You might ‘collect’ a series of books from a shelf, as potential evidence, but using specific technical skills and tools you ‘acquire’ the information you need from a specific part of one of the books.
It’s a small, and subtle difference, and not everyone will notice and it won’t always be relevant, but this depends on the sector you operate in, so it’s worth being aware of.
Why is this required?
If you are unfortunately to fall victim to cybercrime or malicious internal activities, then you may need to present evidence in a court of law, or to law enforcement. Without having a process for the identification, collection, acquisition, and preservation of evidence, then you may find that you cannot conclude any legal proceedings successfully.
Collecting and preserving evidence for a court case doesn’t happen every day (thankfully), but it happens, and as our use of digital devices increases, the likelihood is that at some point you will need to present evidence in court, or in an employment tribunal. Having a process that outlines what you need to do will ensure that if the worse should happen, then you have the information you need.
We worked with a client who was being taken to court by a supplier for non-payment of services. The client disputed the suppliers' claims that support had been given adequately, so we needed to collect evidence that the supplier hadn't attended the clients' sites or accessed their systems for a period of time. By presenting evidence which showed the supplier had undertaken no actions to support the business, along with other evidence, we could help the client win their case.
What the auditor is looking for
The auditor will want to see a documented process for the collection, acquisition and preservation of evidence. Typically, you will include details of;
Who is responsible for collection
Specific rules related to the acquisition of information (e.g. what tools to use)
How to ensure the integrity of evidence collected.
If you have had any incidents where there have been any judicial action, the auditor will want to see evidence of how the incident was handled and the evidence managed. This might include meeting minutes and logs of actions taken.
What do you need to do?
This is one of those areas of ISO27001 that you will hopefully use infrequently, so while the control doesn’t specifically call for a documented process, we would recommend you document a number of key steps in the evidence gathering process.
Although you may reference this process in your Incident Response or Business Continuity Plans, we recommend you keep this separate. Again, this is because you want to keep you Incident Response and Business Continuity Plans as short as possible.
Your procedure should outline what kind of information is relevant as evidence. For example, the following type of evidence may be identified;
CCTV footage.
Telephone recordings.
System logs.
Audit trails.
Infected files or malware samples.
Screenshots.
Witness statements and interviews.
Of course, it will depend on the situation on which of these is most important, but your process should define how these will be handled.
You should also make it clear what resources and skills will be required to gather this information, such as requiring that only suitably trained individuals are involved in a specific process. For example, you might state that only those who have digital forensics qualifications can carry out any investigation of logical media.
Q & A
Does this need to be documented?
As stated above, this is a process you hopefully will not use on day-to-day basis, and although not a specific requirement, the control does require that you establish a procedure for the collection of evidence.
How can we ensure the integrity of information?
In order to maintain integrity of information you should quarantine the affected system or device, and limit access to it. Only those suitably trained in digital forensics should be permitted to access the system.
You should also consider taking screenshots, copies of logs and audit trails and CCTV or voice recordings, to prevent their being overwritten before the collection process is completed.
Again, we repeat that this should be conducted by a suitably trained and skilled person or team. Digital forensics is a technical topic and highly skilled. Even the process of copying a log file needs to be carried out in a specific way, to preserve the integrity of the date the file was created.
Don’t leave this one to chance. Get advice from an expert.
Difficulty rating
We rate this a 3 out of 5 difficulty rating. This control requires technical skills of a different kind, because you need to understand what kind of information could be collected as evidence. You will need to speak to your IT function, as well as other departments who can explain what could be collected. Your procedures will need to outline how the information will be collected, so some technical knowledge is also required.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.