GRCWatch
Sign inStart free trial

ISO 27001 Control 5.28: Collection of Evidence

Security incidents leave traces. ISO 27001 5.28 requires you to systematically identify, collect, and preserve evidence from information security events—both to support investigations and demonstrate compliance. Without documented procedures, your organization risks losing critical evidence and failing audits.

What this means

Control 5.28 mandates that your organization create and enforce formal procedures for evidence handling throughout the incident lifecycle. This includes identifying what constitutes relevant evidence, establishing secure collection methods, maintaining chain of custody, and preserving data integrity. The goal is to ensure incident investigations are thorough, defensible, and compliant with legal and regulatory requirements.

How to comply

  1. 1.Document procedures for identifying evidence types relevant to your security events (logs, system files, communications, hardware)
  2. 2.Define collection methods that preserve evidence integrity and prevent contamination or alteration
  3. 3.Establish chain-of-custody protocols to track who accessed evidence, when, and for what purpose
  4. 4.Create secure storage requirements for collected evidence (access controls, backup, encryption)
  5. 5.Set retention schedules aligned with legal and regulatory obligations for your industry
  6. 6.Train incident responders on proper evidence handling and collection techniques
  7. 7.Test evidence collection and preservation procedures regularly through drills or simulations
  8. 8.Document all evidence handling activities for audit trails and investigations

Evidence auditors look for

  • Documented evidence collection procedures and associated flowcharts
  • System access logs showing evidence preservation activities
  • Chain-of-custody forms or digital records from recent security incidents
  • Evidence storage environment documentation with security controls
  • Incident investigation reports that reference collected and preserved evidence
  • Training records confirming staff competency in evidence handling
  • Evidence retention policy tied to regulatory requirements
  • Backup and recovery procedures for preserved evidence

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates evidence logging and chain-of-custody tracking for every security event, maintaining an auditable record that directly satisfies ISO 27001 5.28 without manual spreadsheets or gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.26 — Information Security Event EvaluationISO 27001 5.27 — Response to Information Security IncidentsISO 27001 5.29 — Improvement of Information Security Incident Handling