ISO27001 Annex A control A5.28 states "The organisation shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events"
This can be referenced within your Incident Response Plans, but we feel that there is a lot more to this control and it sits best in its own document.
This document we provide directly deals with how you collect and preserve security events. Note the term is 'information security events', and 'events' aren't the same as incidents.
This document
All our documents are designed with simplicity in mind. But in their simplicty they meet the both the standards, and your needs.
Use these as a springboard towards continual improvement and see your security management system develop and thrive.
Incident Management Procedure
Hey, we're not going to go all 'legal' on you here... that's not our style. But this is our Intellectual Property, and we'd prefer it if you didn't go sharing this with other people who haven't spent the money and bought a copy.
Of course, we can't really stop you... But are you that kind of person? We don't think you are. So if you want to tell people about your new found super power of ISO27001-Awesomeness, great... just don't give it away for free!