In 2022, ISO 27001 introduced new updates to help organizations enhance their management of information security risks.
One of the most significant additions is Annex A, Section 5.28, which addresses the collection of evidence. It is a control focused on identifying, preserving, and managing evidence related to security incidents and compliance processes.
Read on to understand what Annex A 5.28 requires, why it matters, and how your business can implement reliable, audit-ready evidence management practices.
We’ll also explore common challenges, related standards, and how you can automate ISO 27001 evidence collection.
- ISO 27001 Annex A 5.28 requires a straightforward process for collecting and preserving evidence related to security events.
- Evidence can include system logs, reports, access records, and other documentation that demonstrates your security controls are adequate.
- Effective evidence management facilitates audits and investigations, while also ensuring compliance with legal and regulatory requirements.
What is ISO 27001 Annex A 5.28 (Collection of Evidence)?
ISO 27001 evidence collection refers to the formal process that organizations must follow, as outlined in Annex A, Section 5.28, to identify, gather, and preserve digital or physical evidence during information security incidents.
The control is part of the broader ISO 27001 standard, an international standard for establishing and maintaining an effective Information Security Management System (ISMS).
Annex A 5.28, titled “Collection of Evidence,” outlines the rules for organizations to handle security incidents. These rules govern the collection and management of both digital and physical evidence that may be required for investigations, internal reviews, or legal proceedings.
The primary goal is to protect the integrity of the investigation and support legal, regulatory, and disciplinary actions following an incident.
Types of Evidence required for ISO 27001
Annex A 5.28 recognizes a wide variety of evidence formats. Here’s a quick overview of what types of compliance evidence your organization should be prepared to collect and preserve.
- System logs and access records: Logs showing user activity, access attempts, and system events help trace what happened and when.
- Security incident reports: Formal reports detailing what occurred during a security event, how it was managed, and lessons learned.
- Audit trails: Records that show the sequence of activities across systems and personnel, practical for investigations and accountability.
- Control testing or vulnerability scan results: These prove your security controls are in place and functioning effectively.
- Policy and procedure documentation: Written policies and SOPs demonstrating formal security practices and compliance intent.
- Communication records: Emails, chat logs, or meeting notes relevant to incident handling and response.
- Training and certification records: Evidence that employees have undergone security training or hold necessary certifications.
- Legal authorization documentation: Proof that evidence was collected with proper authority and follows legal protocols.
Why does evidence collection matter?
Evidence collection is crucial because it enables organizations to conduct thorough investigations of security incidents, demonstrate compliance, and support legal proceedings with reliable, well-preserved documentation.
Every organization connected to the cloud faces a growing risk of cyberattacks, data breaches, and internal security incidents daily.
When such events occur, the ability to gather reliable, well-preserved security evidence is essential for investigating the root cause and taking corrective legal or disciplinary actions.
ISO 27001 Annex A, Section 5.28, emphasizes this by requiring organizations to follow consistent, controlled processes for collecting evidence on IT incidents. This strengthens your organization’s response to security by providing a clear, traceable record of what happened, when, and how.
It also ensures that any evidence gathered will withstand legal scrutiny and regulatory reviews, as it was collected and managed through a standardized procedure.
Without proper evidence collection, you may lose critical security details, compromise investigations, and be unable to demonstrate compliance or pursue legal proceedings. Evidence collection can be a complex and time-consuming process. Sprinto simplifies the process by automating it and keeping your ISO 27001 evidence audit-ready.
Requirements of ISO 27001 Annex A 5.28
Annex A 5.28 outlines specific requirements for how organizations must collect and preserve evidence related to information security events.
This applies to any incident that may impact your organization’s information security, whether intentional, accidental, internal, or external in nature.
The evidence itself can take many forms, including:
- System logs and access records
- Policy documents
- Security incident reports
- Audit trails
- Results of control testing or vulnerability scans
- Communication records relevant to incident response
- Electronic evidence generated by IT systems or platforms
- Evidence collected by personnel with appropriate qualifications or certifications
- Documentation of legal authority to collect digital evidence
Any evidence collected must be accurate, consistent, and preserved in a way that maintains its integrity. Poorly managed or incomplete evidence can compromise investigations or make it difficult to prove compliance. In addition, evidence collection processes must:
- Align with the organization’s existing information security policies and procedures
- Clearly define the types of evidence required for each security control or incident type
- Specify roles and responsibilities for staff involved in the collection and preservation of evidence
- Ensure evidence can withstand legal scrutiny with a chain of custody and facilitate tamper-proof storage where appropriate
- Be regularly reviewed and updated to reflect changes in technology, threats, and organizational processes
Meet Annex A 5.28 Requirements Effortlessly →
How to implement evidence collection for ISO 27001?
Implementing evidence collection under ISO 27001 Annex A, Section 5.28, requires a structured process that aligns with your organization’s information security objectives.
The aim is to ensure that relevant, trustworthy evidence is gathered, preserved, and readily available to support all investigations.
Important steps to implement effective evidence collection include:
1. Define what counts as evidence
First, determine what information qualifies as valid evidence. This typically includes system logs, incident reports, security monitoring outputs, access records, and other documentation that demonstrates the effectiveness of your security controls. Identifying these sources is important for consistency in the evidence-gathering process.
2. Establish formal collection procedures
A clear, documented procedure guides how evidence is identified, collected, stored, and preserved. It defines who is responsible for evidence collection, outlines approved tools or methods, and specifies secure storage requirements.
You’ll ideally need a mix of both automated tools for efficiency and manual tools for handling sensitive evidence where human oversight is essential.
3. Safeguard evidence integrity
Your organization must implement technical and administrative controls to prevent unauthorized access, tampering, or loss of evidence. This includes using encryption, limiting who can access evidence, and keeping detailed audit trails at every stage of the process.
4 Review evidence regularly
Collected evidence should not sit idle. Your security team must regularly review and analyze collected evidence to detect vulnerabilities, verify the performance of controls, and identify areas for improvement.
5. Maintain secure retention and documentation
A secure, documented retention policy is necessary to meet regulatory and internal requirements. It should spell out how long evidence is stored, how you’ll keep it accessible for audits or legal reviews, and how you’ll track the chain of custody to prove it hasn’t been tampered with.
Who should handle evidence?
According to Annex A 5.28, evidence collection is a sensitive process that requires trained and authorized personnel to protect the integrity of the evidence. In most organizations, evidence should only be handled by individuals who:
- Hold relevant qualifications or certifications in information security, digital forensics, or incident response
- Are trained in maintaining the chain of custody and ensuring proper documentation
- Understand legal, regulatory, and organizational requirements for evidence handling
- Operate under formally defined roles within the organization’s incident response or information security management system
Evidence collection generally falls under the responsibility of roles like:
- Information security officers or ISMS leads
- Digital forensics and incident response (DFIR) teams
- Internal audit or compliance teams
- Designated legal or risk management personnel, especially for cases involving legal action
Common evidence collection mistakes and how to avoid them
Many organizations fall short when implementing evidence collection processes. These missteps can be serious; they can jeopardize your compliance processes and undermine security investigations. Here are three common mistakes to watch out for:
1. Lack of a documented process
Without a clear, documented process, your evidence collection efforts can quickly become inconsistent and unreliable.
If you can’t show how evidence is gathered and preserved, it’s impossible to prove ISO 27001 compliance. A formal, step-by-step process ensures your teams follow consistent, repeatable practices every time.
2. Using only internal resources
Evidence collection is a highly sensitive process, but relying solely on internal resources can compromise evidence integrity. In complex or high-risk incidents, it’s a good idea to engage qualified professionals with expertise in digital forensics, incident response, and legal evidence handling.
External experts or specialized evidence collection services bring impartiality, technical precision, and a deep understanding of regulatory expectations. Their involvement can ensure evidence is gathered, preserved, and documented correctly, minimizing the risk of errors that could render evidence inadmissible or unreliable.
While internal resources work well for day-to-day evidence collection, it’s recommended to seek professional support when dealing with legal, disciplinary, or high-stakes incidents.
3. Not reviewing or improving the process
Setting up an evidence collection process isn’t enough. It must be regularly reviewed and tested.
Many organizations forget to test or review their process, which leads to gaps over time. Run internal audits, review incidents, and update your process as your systems or risks evolve. It’s the only way to keep your evidence collection reliable over time.
Associated standards and frameworks
Alongside ISO 27001 Annex A 5.28, there are other standards that cover requirements on evidence handling. Some main ones include:
- ISO/IEC 27002. It offers practical implementation guidance for all ISO 27001 controls, including evidence collection.
- ISO/IEC 27035. It defines structured processes for incident response, with emphasis on gathering reliable evidence.
- ISO/IEC 27037. It provides best practices for the identification, collection, and preservation of digital evidence.
- NIST SP 800-61. It outlines steps for incident detection and response, highlighting the role of evidence in investigations.
- NIST SP 800-86. It guides the integration of forensic techniques into incident response and evidence handling.
- ISO 22301. It ensures continuity of critical processes, including secure evidence collection, during disruptions.
- Privacy regulations (such as GDPR). It requires that evidence collection processes respect data protection and legal boundaries.
Avoid costly evidence mistakes with Sprinto’s automated checks and gap alerts →
Challenges in ISO 27001 evidence management
Implementing ISO 27001 evidence management isn’t always straightforward. Many organizations struggle with resistant teams, outdated systems, and unreliable vendors that can derail compliance efforts.
1. Insufficient internal support
Internal teams are not always fond of evidence collection procedures. Many can view it as an administrative burden rather than a security necessity.
To deal with this, engage all relevant stakeholders early on, and emphasize the legal and financial risks of failing to comply.
This can help reiterate the importance of evidence management for the well-being of the entire organization and keep your team on the same page.
2. Integration challenges with legacy systems
ISO 27001 evidence collection is difficult to implement on outdated or disconnected systems. Legacy platforms lack the visibility or compatibility needed to collect evidence consistently across an environment.
There are a few strategies you can use to fix this. They include running a gap analysis, identifying where your systems fall short, and slowly building evidence collection into your processes without disrupting daily work.
3. Managing third-party risks
Third-party vendors are necessary for most businesses, but they can also be a weak link in evidence management. If your vendors have poor security practices or lack proper documentation, your entire compliance program is at risk.
That’s why it’s important to set clear expectations up front. Make sure your vendors understand your evidence handling requirements. You also want to request their compliance documentation early and have a backup plan in case they fail to meet your standards.
Expedite ISO 27001 evidence collection with Sprinto
Evidence collection is an integral part of any compliance program. Managing evidence collection manually can be overwhelming. From tracking system logs across multiple platforms to ensuring proper chain of custody documentation, there’s a lot to do.
Sprinto delivers automated, AI-intelligent, and audit-ready evidence collection designed to meet ISO 27001 Annex A, Section 5.28, requirements. It eliminates manual effort by automating the entire evidence lifecycle, allowing your organization to stay compliant without the administrative burden.
- Automated evidence gathering: Sprinto collects real-time system logs, access records, security configurations, and training certificates directly from your tech stack. With Sprinto AI, each piece of evidence is validated for relevance, completeness, and timestamp accuracy, identifying outdated or missing evidence before auditors do.
- Policy and control mapping: The platform aligns the organization’s cloud infrastructure with ISO 27001 controls, enabling continuous visibility and ensuring control coverage across all assets. Sprinto AI auto-maps controls to criteria, risks, and policies, accelerating setup and ensuring there are no unmapped controls or blind spots.
- Secure, tamper-proof storage: All collected evidence is preserved in a centralized, access-controlled repository with a built-in chain of custody tracking to maintain integrity and support defensibility. Sprinto AI helps classify, tag, and maintain evidence consistency — ensuring every artifact remains defensible throughout the audit cycle.
- Auditor-ready dashboards: Sprinto provides real-time monitoring, automated alerts, and a dedicated audit interface, streamlining the external review process and supporting audit readiness at all times.
- Multi-framework compliance: In addition to ISO 27001, Sprinto supports other frameworks such as SOC 2, allowing organizations to collect evidence once and reuse it across multiple compliance standards.
Discover how Sprinto streamlines ISO 27001 compliance. Book a demo today.
Frequently Asked Questions
Yes, evidence collection for ISO 27001 can and should be automated. Manual evidence gathering is time-consuming, error-prone, and difficult to scale. Sprinto automates the entire lifecycle—from real-time log capture and access record management to control test results—directly from your cloud infrastructure, applications, and devices. This not only ensures continuous audit readiness but also preserves evidence integrity through tamper-proof storage and chain-of-custody tracking.
Simplifying ISO 27001 evidence collection starts with three key shifts:
– Standardize what qualifies as evidence across your controls.
– Automate evidence capture using tools like Sprinto that integrate directly with your tech stack.
– Centralize everything in an auditor-friendly dashboard that keeps your team audit-ready at all times.
With Sprinto, you eliminate repetitive manual tasks and replace them with system-driven, audit-grade documentation—making evidence collection faster, cleaner, and future-proof.
No, ISO 27001 does not recommend indefinite retention of evidence. When deciding how long to store evidence for, your organization should consider regulatory requirements and legal obligations. Retention periods can vary depending on the nature of the evidence and applicable laws in your region.
Audit evidence includes policies, records, and system logs, which all prove your organization’s ongoing compliance with security requirements.
In contrast, incident investigation evidence is typically more detailed and time-sensitive. It includes forensic data and tamper-proof records needed for legal or disciplinary action.
Yes, automation can be incredibly helpful in evidence collection procedures and is typically recommended. However, human oversight is still important for high-risk security incidents, forensic evidence, or legal cases.
Yes, ISO 27001 applies to businesses of all sizes. The core requirements stay the same, but smaller organizations can scale and adapt their evidence collection processes based on their risk profile and resources.
Failing an ISO 27001 audit means your organization won’t achieve certification or may lose an existing one. Auditors will issue non-conformities, which must be addressed through corrective actions. You’ll need to fix the gaps and undergo follow-up assessments before applying for a re-audit.
Payal Wadhwa
Payal is your friendly neighborhood compliance whiz who is also ISC2 certified! She turns perplexing compliance lingo into actionable advice about keeping your digital business safe and savvy. When she isn’t saving virtual worlds, she’s penning down poetic musings or lighting up local open mics. Cyber savvy by day, poet by night!
Go beyond the surface and uncover the governance, risk, and compliance insights that actually matter.
Win digital goodies for boardroom success
Explore more
research & insights curated to help you earn a seat at the table.
