Collating accurate evidence in a timely manner is a crucial aspect of incident management that informs everything from disciplinary action to legal proceedings and regulatory investigations.
Control 5.28 allows organisations to fulfil their internal and external obligations, by managing evidence throughout the reporting and resolution of information security incidents in a robust and consistent way.
5.28 is a corrective control that maintains risk by creating procedures which identify, collect, store and preserve evidential material, relating to information security events.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Corrective | #Confidentiality #Integrity #Availability | #Detect #Respond | #Information Security Event Management | #Defence |
Control 5.28 deals with the explicit legal and disciplinary consequences of collecting evidence relating to an information security incident.
Whilst ISO 27002 largely deals with internal technical matters pertaining to information security, there are circumstances where procedural adherence is a legal matter, such is the case in Control 5.28.
Organisations should consider delegating ownership of Control 5.28 to an appropriate member of senior management with overall responsibility for HR and/or legal matters.
Control 5.28 explicitly states that evidence collection procedures should be formulated with the express purpose of fulfilling the organisation’s disciplinary and/or legal obligations.
Furthermore, evidence collection should be preoccupied with fulfilling obligations across different regulatory environments and legal jurisdictions, to ensure that incidents are able to be analysed by multiple distinct external bodies to the same degree, across several variables, including:
Organisations need to be able to demonstrate that:
Control 5.28 warns organisations about making any assumption as to the relevancy of any evidence collected towards future legal proceedings.
Organisations are encouraged to address any doubts by seeking legal advice and/or involving law enforcement authorities at the earliest opportunity, in order to avoid accidental or wilful destruction of incident-related evidence.
It helps drive our behaviour in a positive way that works for us
& our culture.
Since migrating we’ve been able to reduce the time spent on administration.
27002:2022-5.28 replaces 27002:2013-16.1.7 (Collection of evidence).
27002:2022-5.28 adheres to the same operational principles as 27002:2013-16.1.7, with four notable additions:
The ISMS.online platform provides a range of powerful tools that simplify the way you can document, implement, maintain and improve your information security management system (ISMS) and achieve compliance with ISO 27002.
The comprehensive package of tools gives you one central place where you can create a bespoke set of policies and procedures that align with your organisation’s specific risks and needs. It also allows for collaboration between colleagues as well as external partners such as suppliers or third party auditors.
Get in touch today to book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |