ISO 27001:2022 Annex A 5.28 Checklist Guide •

ISO 27001:2022 Annex A 5.28 Checklist Guide

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 15 August 2024

Using a checklist for A.5.28 Collection of Evidence ensures systematic and consistent evidence handling, enhancing the integrity and legal admissibility of collected data. Achieving compliance strengthens the organisation's incident response capabilities, safeguards against legal risks, and supports regulatory adherence.

Jump to topic

ISO 27001 A.5.28 Collection of Evidence Checklist

A.5.28 Collection of Evidence is a crucial control in ISO 27001:2022, focusing on the rigorous procedures and practices necessary for collecting and preserving evidence related to information security incidents. Implementing this control effectively ensures that evidence is handled properly to support subsequent investigations and legal proceedings.

Below is a detailed explanation of this control, enhanced with relevant ISMS.online features for demonstrating compliance, including common challenges a Chief Information Security Compliance Officer (CISCO) may face at each step, a comprehensive compliance checklist, and solutions for each challenge. ISO 27001:2022 clauses and requirements are associated with each section to provide a comprehensive overview.

Scope of Annex A.5.28

The importance of proper evidence collection cannot be overstated in the realm of information security. Evidence serves as the backbone of any investigation, providing the necessary details to understand, mitigate, and prevent future incidents. The ISO 27001:2022 standard underscores this importance through control A.5.28, which mandates a structured approach to evidence collection.

This control ensures that organisations can effectively respond to security incidents, maintain legal and regulatory compliance, and uphold the integrity of their information security management system (ISMS).


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.5.28? Key Aspects and Common Challenges

1. Evidence Gathering Procedures

Documentation: Clearly defined procedures for collecting evidence, ensuring it is done systematically and consistently.

    Challenge: Inconsistent documentation practices can lead to incomplete or unreliable evidence.

  • Solution with ISMS.online: Utilise policy templates and version control features to ensure standardised and up-to-date documentation practices.
  • Associated ISO Clauses: 7.5.1

Compliance Checklist:

Develop and document evidence collection procedures.

Review and update documentation regularly.

Use ISMS.online templates for consistency.

Chain of Custody: Maintaining a documented trail that records the custody, control, transfer, analysis, and disposition of evidence.

    Challenge: Maintaining a reliable chain of custody can be complex, especially in large organisations.

  • Solution with ISMS.online: Use the Incident Tracker and Workflow features to log all incidents and manage the chain of custody efficiently.
  • Associated ISO Clauses: 8.2, 8.3

Compliance Checklist:

Log all evidence in the Incident Tracker.

Document all transfers and custody changes.

Review chain of custody records for completeness.

2. Legal and Regulatory Compliance

Adherence to Laws: Ensure evidence collection complies with relevant laws and regulations, including data protection and privacy laws.

    Challenge: Keeping up with changing legal and regulatory requirements.

  • Solution with ISMS.online: Utilise the Regs Database and Alert System to stay updated on relevant laws and regulations.
  • Associated ISO Clauses: 6.1.3, 9.1.2

Compliance Checklist:

Regularly review relevant laws and regulations.

Update procedures to reflect changes in laws.

Use the Alert System to notify staff of updates.

Admissibility: Collect evidence in a manner that makes it admissible in legal proceedings.

    Challenge: Ensuring that evidence collection methods meet legal standards.

  • Solution with ISMS.online: Provide training through Training Modules and track compliance to ensure adherence to legal standards.
  • Associated ISO Clauses: 7.2, 7.3

Compliance Checklist:

Train staff on legal standards for evidence collection.

Conduct regular assessments to verify compliance.

Use ISMS.online to track and document training completion.

3. Technical Measures

Secure Storage: Use of secure methods to store collected evidence to prevent tampering, loss, or unauthorised access.

    Challenge: Ensuring secure storage across different types of evidence and systems.

  • Solution with ISMS.online: Implement secure storage protocols and monitor access through Access Management features.
  • Associated ISO Clauses: 9.2.1, 9.3

Compliance Checklist:

Implement secure storage solutions.

Monitor access to evidence storage.

Conduct regular audits of storage security.

Forensic Tools: Utilisation of approved forensic tools and techniques to collect and analyse evidence.

    Challenge: Ensuring the use of reliable and up-to-date forensic tools.

  • Solution with ISMS.online: Document and approve forensic tools using Policy Management and ensure regular updates and reviews.
  • Associated ISO Clauses: 8.1, 8.2

Compliance Checklist:

Approve and document forensic tools.

Regularly review and update forensic tools.

Train staff on the use of approved tools.

4. Training and Awareness

Staff Training: Training personnel involved in evidence collection on the proper methods and legal implications.

    Challenge: Ensuring all relevant staff receive and complete necessary training.

  • Solution with ISMS.online: Use Training Modules and Training Tracking to ensure comprehensive training and monitor completion.
  • Associated ISO Clauses: 7.2, 7.3

Compliance Checklist:

Develop and deliver training programmes.

Track training completion and compliance.

Conduct refresher courses regularly.

Awareness Programmes: Ensuring that staff are aware of the importance of proper evidence collection and the procedures to follow.

    Challenge: Maintaining ongoing awareness and engagement.

  • Solution with ISMS.online: Implement Awareness Programmes and regular assessments to keep staff informed and engaged.
  • Associated ISO Clauses: 7.3, 7.4

Compliance Checklist:

Implement awareness programmes.

Conduct regular assessments of staff awareness.

Use feedback to improve awareness initiatives.

5. Incident Response Integration

Coordination: Integrating evidence collection procedures into the overall incident response plan.

    Challenge: Ensuring seamless integration of evidence collection with incident response efforts.

  • Solution with ISMS.online: Use the Incident Management features to coordinate and track evidence collection as part of the incident response.
  • Associated ISO Clauses: 8.2, 8.3

Compliance Checklist:

Integrate evidence collection into incident response plans.

Train incident response teams on evidence procedures.

Regularly test and review incident response and evidence collection integration.

Immediate Action: Promptly collecting evidence to ensure it is not lost, degraded, or altered.

    Challenge: Delays in evidence collection can compromise its integrity.

  • Solution with ISMS.online: Implement Workflow and Notifications to ensure immediate action and timely evidence collection.
  • Associated ISO Clauses: 8.1, 8.2

Compliance Checklist:

Set up workflows for immediate evidence collection.

Use notifications to alert relevant personnel.

Review response times and adjust workflows as needed.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISMS.online Features for Demonstrating Compliance with A.5.28

  • Incident Management:

    • Incident Tracker: Logs all incidents and the evidence collected, maintaining a clear chain of custody.
    • Workflow and Notifications: Guides the incident response process, ensuring evidence collection is timely and follows documented procedures.
    • Reporting: Generates reports that can be used to demonstrate compliance with evidence collection standards.
  • Policy Management:

    • Policy Templates: Provides templates for creating and updating policies related to evidence collection and chain of custody.
    • Version Control: Ensures all policies are up-to-date and changes are documented, maintaining compliance with ISO 27001:2022 requirements.
    • Document Access: Controls access to policies and procedures, ensuring only authorised personnel can make changes.
  • Audit Management:

    • Audit Templates: Standardised templates for auditing evidence collection processes.
    • Audit Plan: Comprehensive planning tools to schedule and conduct audits, ensuring continuous improvement and adherence to best practices.
    • Corrective Actions: Tracks and manages corrective actions resulting from audits, ensuring ongoing compliance.
  • Training and Awareness:

    • Training Modules: Provides comprehensive training programmes for staff on evidence collection procedures and legal requirements.
    • Training Tracking: Monitors completion of training programmes, ensuring all relevant personnel are trained and aware of their responsibilities.
    • Assessment: Conducts assessments to verify understanding and competency in evidence collection.
  • Compliance:

    • Regs Database: Maintains a database of relevant laws and regulations, ensuring evidence collection complies with legal requirements.
    • Alert System: Notifies relevant personnel of changes in regulations or policies affecting evidence collection.
    • Reporting: Generates compliance reports to demonstrate adherence to legal and regulatory requirements.

Detailed Annex A.5.28 Compliance Checklist

1. Evidence Gathering Procedures

Develop and document evidence collection procedures.

Review and update documentation regularly.

Use ISMS.online templates for consistency.

Log all evidence in the Incident Tracker.

Document all transfers and custody changes.

Review chain of custody records for completeness.

2. Legal and Regulatory Compliance

Regularly review relevant laws and regulations.

Update procedures to reflect changes in laws.

Use the Alert System to notify staff of updates.

Train staff on legal standards for evidence collection.

Conduct regular assessments to verify compliance.

Use ISMS.online to track and document training completion.

3. Technical Measures

Implement secure storage solutions.

Monitor access to evidence storage.

Conduct regular audits of storage security.

Approve and document forensic tools.

Regularly review and update forensic tools.

Train staff on the use of approved tools.

4. Training and Awareness

Develop and deliver training programmes.

Track training completion and compliance.

Conduct refresher courses regularly.

Implement awareness programmes.

Conduct regular assessments of staff awareness.

Use feedback to improve awareness initiatives.

5. Incident Response Integration

Integrate evidence collection into incident response plans.

Train incident response teams on evidence procedures.

Regularly test and review incident response and evidence collection integration.

Set up workflows for immediate evidence collection.

Use notifications to alert relevant personnel.

Review response times and adjust workflows as needed.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.5.28

Are you ready to elevate your information security management to the next level? Ensuring compliance with ISO 27001:2022, particularly with critical controls like A.5.28 Collection of Evidence, has never been more seamless and efficient. With ISMS.online, you have a robust platform that integrates all the tools you need to manage evidence collection, streamline processes, and maintain compliance effortlessly.

Why Choose ISMS.online?

  • Comprehensive Incident Management
  • Advanced Policy and Audit Management
  • Extensive Training and Awareness Programmes
  • Real-time Compliance Tracking
  • Secure and Reliable Evidence Collection

Take the first step towards transforming your information security framework. Contact ISMS.online today to schedule your personalised demo. Experience firsthand how our platform can simplify compliance, enhance security, and drive continuous improvement within your organisation.

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now