A.5.28 Collection of Evidence
What is this control?
ISO 27001 control A.5.28 Collection of Evidence establishes a formal, forensically sound process for collecting and preserving evidence related to security incidents when legal or disciplinary implications exist. The process maintains integrity and chain of custody using Microsoft Purview eDiscovery Premium with immutable legal holds on custodians and forensic analysis through Sentinel Advanced Hunting.
How to implement in Microsoft 365
Implement A.5.28 by configuring Microsoft Sentinel for immutable log retention of 365 or more days with archival to Azure Log Analytics Workspace. Enable Microsoft Purview eDiscovery Premium licensing for the organisation. Create an eDiscovery case template in Purview with standard custodian identification workflow.
Document procedures for initiating legal holds on user mailboxes, SharePoint sites, and Teams channels via eDiscovery. Configure Advanced Hunting templates in Sentinel and Defender for forensic queries. Create an export workflow in eDiscovery with audit trail for chain of custody documentation.
Create a physical Chain of Custody form with fields for asset ID, handler, timestamp, reason, and signature.
What an auditor looks for
Auditors will verify Log Analytics Workspace configuration showing 365 or more day retention configured with immutable logs enabled. They will check example eDiscovery Premium cases showing audit trail of legal holds placed on custodians. Auditors will review eDiscovery case export records with complete audit log demonstrating chain of custody.
They will verify forensic hunting queries from Sentinel and Defender Advanced Hunting showing analysis methodology. Auditors will check documentation of third-party evidence collection procedures with sample export logs.