ISO/IEC 27041

ISO/IEC 27041:2015 – Information technology — Security techniques — Guidelines on assuring suitability and adequacy of incident investigative techniques

Introduction

ISO27k digital forensics standards are designed to promote forensic methods and processes for capturing and analysing digital evidence.

Even though individual investigators, organizations and jurisdictions may retain specific methods, processes and controls, standardization is anticipated to eventually lead to similar if not identical approaches globally, allowing investigators to compare, combine and contrast results across different people, organizations, and jurisdictions.

Scope and objectives

Specifically, this standard “guides mechanisms for ensuring that methods and processes used in the investigation of Information Security Incidents are ‘fit for a purpose’. It encapsulates best practice on defining requirements, describing methods and providing evidence that implementations of methods can be shown to satisfy requirements. It includes consideration of how vendor and third-party testing can be used to assist this assurance process. This document aims to: guide the capture and analysis of functional and non-functional requirements relating to an Information Security (IS) incident investigation; give guidance on the use of validation as a means of assuring suitability of processes involved in the investigation; guide on assessing the levels of validation required and the evidence required from a validation exercise, and give guidance on how external testing and documentation can be incorporated in the validation process.” [taken from CD2]

This standard focuses primarily on forensic processes and tools used for the investigation of digital evidence. For all forensics methods, credibility, trustworthiness, and integrity are essential: this standard emphasizes the assurance of digital evidence.

As part of the standard, guidance is provided on how to ensure that the forensic methods used to investigate digital evidence are appropriate and appropriate, describing how each stage of the investigation process can be validated as being appropriate (deliberately adequate, suitable, and carried out properly).

According to the standard, “it should be applied before any investigation, in the context of principles and processes (as defined in ISO/IEC 27043) and sound preparation and planning (defined in ISO/IEC 27035-2) to assure the suitability of methods to be applied in the investigative processes described in ISO/IEC 27037 and ISO/IEC 27041.” (quote taken from CD2)

The standard’s status

The standard was released in 2015.

Standards relevant to this topic

The ISO/IEC 27037 standard concerns the initial capture of digital evidence. It focuses on ensuring that the appropriate tools and methods are utilized in digital forensics, e.g. ensuring that the appropriate procedures are followed.

The ISO/IEC 27042 standard covers the analysis and interpretation of digital evidence after it has been collected.

In general, ISO/IEC 27043 encompasses incident investigation activities, within which forensic analysis is usually carried out.

ISO/IEC 27050 (in four parts) is about electronic discovery, which pretty much encompasses what the other standards do. A British Standard named BS 10008:2008 entitled “Evidential weight and legal admissibility of electronic information. Specification” is also worth checking out.

Commentary

I do not understand why SC 27 is creating several different international standards for forensics when they are complementary parts of the same process. A standard composed of several parts explaining how the pieces of the jigsaw fit together make more sense to me.