5.28 Collection of Evidence

The organisation should establish and implement procedures for identifying, collecting, acquiring, and preserving evidence related to information security events.

Evidence collection is a crucial section of the Information Security Management System. This control emphasises the importance of having internal procedures in place to:

• Better identify types of attacks;
• Collection or sampling of information security-related specimens both in the hardware and software domains by introducing operational procedures and hiring certified personnel;
• Preservation of evidence for further analysis, research, reverse engineering etc.

The collection of evidence is a vast domain in the cyber security spectrum. More specifically, forensics is the field that encapsulates the evidence process collection. The evidence collection might differ from business to business, depending on the size and nature. Nonetheless, every company must have a collection of evidence procedure in place for worst-case scenarios. The collection of evidence document is a more operational and technical document that requires inputs from information security specialists. Especially specialists from the field of Digital forensics would have better insights on the subject. The evidence collection helps an organisation better understand the nature of an attack, which can later help analyse and introduce countermeasures. Moreover, collected evidence supports the organisation to prove its point for insurance and legal purposes. It should be noted that the procedure follows strict forensic procedures rules to ensure that records are completed and have not been tampered with in any way and copies of evidence must match the original. Finally, the system should function correctly when the evidence is collected.