INC-007 Evidence Collection and Preservation
Description
Procedures are in place to identify, collect, and preserve digital evidence related to security incidents. Evidence is collected in a manner that maintains chain of custody and supports potential legal proceedings. Evidence is stored securely and retained for a period consistent with regulatory and legal requirements.
Rationale
Evidence collected without chain of custody may be inadmissible in legal proceedings and insufficient for regulatory investigations. Establishing procedures before an incident ensures disciplined collection under pressure.
Framework Mappings (4)
| SEF-09 | Incident Records Management | full |
| GDPR-Art.33.5 | Internal Breach Documentation | full |
| 5.28 | Collection of evidence | full |
| IR-4 | Incident Handling | partial |
Evidence (2)
Evidence collection and preservation procedure defining how digital evidence is identified, collected, and stored with chain of custody to support legal proceedings.
Example: Digital Evidence Collection Procedure or IRP forensics annex (version-controlled, reviewed within last 12 months) specifying collection tools, chain of custody form, storage location, access controls, and retention period
Test: Request the evidence collection procedure. Verify: (1) a chain of custody process is defined with a named custodian role; (2) approved collection tools and methods are specified; (3) evidence storage requirements (integrity, access restriction, retention) are documented; (4) the procedure covers both cloud and endpoint evidence collection; (5) the document has been reviewed within the last 12 months.
Completed chain of custody records for evidence collected during past incidents, demonstrating the procedure was followed in practice.
Example: Chain of custody form or evidence register entry for the most recent incident requiring evidence collection, showing item description, collection date, collector identity, storage location, and access log
Test: Request chain of custody records for the last two incidents where evidence was collected. Verify: (1) a chain of custody form or register entry exists for each evidence item; (2) records include collection date, collector identity, and storage location; (3) evidence is stored in a restricted location with an access log; (4) evidence retention period is within regulatory and legal requirements.
Questions (2)
Are procedures in place to identify, collect, and preserve digital evidence related to security incidents in a manner that maintains chain of custody and supports potential legal proceedings?
Evidence collection procedures should specify approved tools, chain of custody requirements, storage location, access controls, and retention period aligned to legal and regulatory requirements.
Which elements are included in your evidence collection and preservation procedure?
Chain of custody and secure storage are the minimum requirements. Cloud-based evidence collection procedures are essential for SaaS incident response.