ISO/IEC 27037 is an international standard providing guidelines for identifying, collecting, acquiring, and preserving electronic evidence, which is part of the digital evidence recovery process. This framework is crucial for ensuring the integrity and authenticity of digital evidence, which can be used in legal proceedings.
Definition and purpose
The purpose of ISO/IEC 27037 is to establish principles and general requirements for the process of ensuring the integrity, authenticity, and reliability of potential digital evidence. It focuses on the specific needs of incident handling and forensics, providing guidance on the handling of potential evidence from the point of discovery until it is presented in court.
The standard is developed and maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO/IEC 27037 was published in 2012. It was reviewed and confirmed in 2018.
ISO/IEC 27037 is applicable to any organization that may need to handle digital evidence. This includes law enforcement, private security, legal teams, IT departments, and cybersecurity professionals across various sectors.
Controls and requirements
ISO/IEC 27037 outlines a set of procedures and controls, including:
- Principles for Evidence Handling: Guidelines to maintain the integrity and authenticity of the evidence.
- Processes for Identification: Recognition of potential sources of digital evidence.
- Collection Methods: Appropriate methods for collecting potential evidence to prevent alteration.
- Acquisition Protocols: Secure transfer and acquisition of digital evidence from its original location.
- Preservation Techniques: Ensuring the safeguarding and preservation of evidence in its original form.
- Documentation: Maintaining thorough documentation throughout the evidence handling process.
Please refer to the official ISO/IEC 27037:2012 documentation for details on controls and requirements.
Audit type, frequency, and duration
Audits can involve reviewing the digital evidence handling processes against ISO/IEC 27037 requirements, typically conducted by internal or external auditors with expertise in digital forensics. The frequency of audits is not explicitly dictated by the standard but should ideally be aligned with the organization's risk management framework and could follow major incident handling or whenever the procedures are updated.
The duration of the audit process will vary depending on the size of the organization, the complexity of the digital environments, and the scope of the evidence handling procedures.