Control Definition
The organization must define and operate procedures for identifying, collecting, acquiring, and preserving evidence related to information security events — handling it in a way that protects its integrity and keeps it usable for any disciplinary, regulatory, or legal proceedings that follow.
Control Objective
To ensure evidence from security events is gathered and safeguarded consistently, so it remains intact, attributable, and admissible when disciplinary or legal action depends on it.
What This Really Means
At the moment a security event occurs, nobody knows what it will become. The suspicious login might end as a closed ticket — or as a dismissal hearing, an insurance dispute, a regulator's inquiry, or a criminal prosecution. You find out months later, long after the laptop was reimaged and the logs rotated. A.5.28 exists for exactly that uncertainty: it asks you to handle evidence from the first hour to the standard of the strictest audience that might eventually examine it, because by the time you know the audience, the evidence is either preserved or gone.
The control breaks into four stages, and the vocabulary matters because it structures the procedure. Identification: working out what might hold evidence — endpoints, server and cloud logs, mailboxes and chat exports, SaaS audit trails, badge records and CCTV, the device itself. Collection: physically or logically gathering those items, including the judgment calls — is a running machine captured live or powered down, and is volatile data such as memory taken before it evaporates. Acquisition: producing forensically sound working copies — bit-for-bit images, cryptographic hashes computed at capture and verified afterward, write blockers for physical media, snapshots and audit-log exports for cloud — so all analysis happens on copies and originals stay untouched. Preservation: chain of custody — an unbroken, documented record of who held each item, when, and why — plus tamper-evident, access-controlled storage under a legal hold that overrides routine deletion schedules.
The control also expects you to know when to stop doing this yourself. In-house IT can handle triage and basic capture, but the moment an incident plausibly leads to dismissal, litigation, an insurance claim, law enforcement, or a regulatory proceeding, trained forensic specialists should take over — a well-meaning administrator who logs into the compromised laptop "to take a look" has just modified timestamps and written fresh artifacts over the ones that mattered. The expectation is proportionate: documented procedures and competent handling, with an external DFIR retainer covering the depth you lack; certified tools and practitioners add evidential weight when proceedings get serious.
Admissibility rules are jurisdiction-specific, but the questions courts and regulators ask are nearly universal: is the evidence complete, has it been altered since acquisition, do the copies provably match the originals, and were the systems that produced the records operating normally at the time? Hashes, custody logs, documented methods, and system-operation records are the generic answers. What auditors treat as the heart of A.5.28 is readiness before the fact — a procedure that existed before the incident, an evidence kit staged, authorized handlers named, and custody records from real use — not a forensic essay assembled afterward.
Why It Matters
Evidence has a brutal asymmetry: it is cheap to preserve in the first hour and impossible to recreate afterward. The organizations that need it most — facing a contested dismissal, a regulator asking how far the breach spread, an insurer probing a claim — typically discover at that moment that the laptop was rebuilt the same week, the logs aged out at thirty days, and the timeline now rests on memory and goodwill. Every option that evidence would have supported quietly closes.
Evidence quality also sets investigation quality. The root cause analysis A.5.27 depends on is speculation without preserved artifacts, and scope determination — establishing which records were actually accessed or exfiltrated — is what drives breach notification decisions. Weak evidence forces a miserable choice: over-notify and absorb the cost and alarm, or under-notify and carry the liability of an assurance you cannot prove.
Where evidence handling is improvised, organizations face:
- •Disciplinary cases that collapse – mishandled or undocumented evidence lets a genuine violator walk, and can expose the organization to wrongful-dismissal claims in the process
- •Lost legal and insurance positions – contaminated artifacts and broken custody weaken litigation, defenses, and recovery of losses under cyber policies
- •Unprovable breach scope – without intact logs and images you cannot demonstrate what was not accessed, and worst-case notification becomes the only defensible option
- •Root cause guesswork – wiped machines turn the post-incident review into speculation, leaving the real entry path and any remaining persistence undiscovered
- •Regulator and court skepticism – evidence you cannot account for reads as a governance failure and undermines every other assertion you make in the proceeding
Regional Compliance Context
In India, the practical anchor is the electronic-evidence certificate regime practitioners still call the Section 65B certificate (introduced through the IT Act amendments and carried forward into the successor evidence statute): courts admit electronic records on the strength of a statutory certificate addressing how the record was produced and the proper operation of the system that produced it. Plan for it at the principle level — know in advance who in your organization can credibly speak to system operation and sign such a certificate, and keep the system-health and configuration records that make the statement honest. CERT-In's 180-day log retention direction effectively sets the minimum evidence pool for India-connected systems — treat it as a floor, since intrusions are routinely discovered later than teams expect. For personal data breaches, preserved evidence is also what lets you demonstrate scope and remedial action to the Data Protection Board under the DPDP Act 2023.
Implementation Guidance
Write the Evidence Procedure Before Any Incident Needs It
Document how your organization identifies, collects, acquires, and preserves evidence, per media type: endpoints, servers, mobile devices, cloud workloads, SaaS data, and physical records or CCTV. Name the roles authorized to handle evidence and the decisions they may take. Embed the procedure in the incident response plan (A.5.24) so it activates automatically — a standalone document nobody remembers mid-incident protects no one.
Stage an Evidence Kit for Physical and Cloud Estates
Prepare the physical kit — write blockers, sanitized storage media, imaging and hashing tools, evidence bags, custody forms — and its cloud equivalent: documented snapshot procedures, audit-log export scripts, and the legal hold features of your productivity and storage suites. Test the kit during tabletop exercises so the first real use is not also the first use.
Train First Responders in Do-No-Harm Handling
Teach front-line IT and SOC staff what not to do: do not log into or browse a suspect machine, do not power-cycle by reflex, do not run cleanup tools before capture. Train the positive reflex instead — isolate through EDR, record what was touched and when, escalate to an authorized handler. A one-page first-responder card (isolate, preserve, call, document) carries more weight at 2 a.m. than the full procedure.
Define When Forensic Specialists Take Over
Set escalation criteria in advance: plausible dismissal, litigation, law enforcement involvement, a regulatory proceeding, an insurance claim, or any major breach triggers specialist engagement at triage. If you lack in-house forensic capability, hold a retainer with a DFIR firm and record its engagement procedure and contacts in the response plan — procurement lead times are incompatible with evidence decay.
Acquire Forensically: Image, Hash, Verify, Copy
Capture volatile data first on live systems where it matters, then produce bit-for-bit images or cloud snapshots of affected assets. Compute cryptographic hashes at acquisition, verify them after transfer, and record tool names, versions, and methods in the acquisition log. All analysis happens on working copies; originals are sealed and stored. This discipline is what lets you prove, months later, that nothing changed.
Run Chain of Custody and Secure Storage
Open a custody record for every item at first capture: description, hash, collector, then every transfer with date, reason, and signatures. Store physical evidence in tamper-evident packaging in a restricted location, and digital evidence in an access-controlled repository with access logging. Appoint a single evidence custodian per incident so accountability never blurs across the response team.
Apply Legal Hold and Review After Every Use
When an event may become a case, issue a legal hold that suspends routine deletion and log rotation for relevant data, with a defined owner and release process. After each incident or disciplinary matter, review how evidence handling performed — was the procedure followed, did the evidence survive challenge — and feed gaps into the A.5.27 lessons loop, updating the procedure, kit, and training accordingly.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.5.28:
Documentation
- Documented evidence handling procedure covering identification, collection, acquisition, and preservation across media types and cloud services
- Chain of custody records from real incidents or exercises showing every transfer of every item with timestamps and signatures
- Acquisition logs recording tools, methods, and cryptographic hashes computed at capture and verified afterward
- DFIR retainer or specialist engagement terms, with the escalation criteria that trigger them
- Legal hold notices and evidence retention records showing preservation overriding routine deletion schedules
Interviews
- Incident manager or CISO on who authorizes forensic acquisition and when specialist escalation is triggered
- Service desk or SOC first responders on what they would do with a suspect laptop — probing whether do-no-harm handling reached the front line
- Legal counsel or HR on how preserved evidence supports disciplinary and legal processes, and how admissibility requirements are met
Observations
- The evidence kit and secured storage location inspected, including access control over stored items
- A sampled evidence item traced through its custody log from first capture to current location
- The acquisition workflow demonstrated — imaging with hash verification, or a cloud snapshot and audit-log export
Practitioner Insights
My standard probe for this control is a scenario, not a document: an executive laptop is compromised and the matter may end in a dismissal or a courtroom — who touches the machine first, and what exactly do they do? If the honest answer is that the nearest administrator logs in and starts looking around, the organization has no A.5.28, whatever the procedure says, because that first curious login rewrote timestamps a tribunal will later ask about. The fix costs almost nothing: name the people authorized to handle evidence, put custody forms and a hashing tool in their hands, and make isolate-do-not-explore the front-line rule. Courts and certification auditors reward the same thing — a boring, documented, repeatable process.
Small organizations hear forensics and picture a lab they cannot afford, so they skip the control entirely. What A.5.28 actually needs at SMB scale is a one-page procedure, a custody form, hash discipline, and a named external firm or retainer for the cases that matter. The mistake I see most often is evidence aging out before anyone knows it is evidence — the intrusion is discovered in week five and the logs rotated at thirty days. Set log retention against realistic discovery timelines rather than storage budgets, and when an event is declared, snapshot and export immediately. Storage is cheap; a deleted log cannot be recreated at any price.
Common Challenges & Solutions
Challenge
The first-responder instinct is to log into the compromised machine and investigate, altering timestamps and overwriting the artifacts that mattered.
Solution
Train front-line IT in do-no-harm handling: isolate through EDR rather than logging in or powering off, record what was touched and when, and escalate to authorized handlers. A laminated first-responder card — isolate, preserve, call, document — outperforms a procedure nobody opens mid-incident. Reinforce the reflex in tabletop exercises until it is automatic.
Challenge
The logs that would have proven the breach timeline were rotated out weeks before anyone discovered the incident.
Solution
Centralize logs (A.8.15) and set retention against realistic discovery timelines — intrusions are routinely found months after they begin. Put the highest-value sources (authentication, administrative actions, data access) on the longest retention, use immutable or write-once storage where available, and trigger an immediate export plus legal hold the moment an event looks like becoming a case.
Challenge
Cloud and SaaS incidents offer no disk to image, and the evidence sits inside a provider's infrastructure.
Solution
Build cloud acquisition into the procedure: snapshot affected instances and volumes before terminating them, export audit logs and admin-activity trails, and use the legal hold features built into major productivity and storage platforms. Know the shared-responsibility line in advance, and capture fast in ephemeral environments — an auto-scaling group recycles your evidence on its schedule, not yours.
Challenge
Evidence changes hands informally, and by the time it matters nobody can account for who held the disk image during the missing week.
Solution
Open a custody record at first capture — item, hash, collector — and log every subsequent transfer with date, reason, and signatures. Store physical items in tamper-evident packaging in a restricted location and digital images in an access-controlled, logged repository. A single named evidence custodian per incident keeps accountability from diffusing across the response team.
Challenge
Forensic specialists are engaged only after internal cleanup has contaminated everything and the regulatory clock is nearly spent.
Solution
Agree the escalation criteria in advance: plausible dismissal, litigation, law enforcement, insurer involvement, or a reportable personal data breach each trigger specialist engagement at triage, not after the internal investigation stalls. A retainer buys guaranteed response times and removes procurement delay. The cost asymmetry is decisive — hours of specialist time at the start versus an unusable case at the end.
