ISO/IEC 27043:2015 – Information technology — Security techniques — Incident investigation principles and processes
The basic objective of ISO/IEC 27037, 27041, 27042, 27043 and 27050 is to promote good practices for capturing and investigating digital evidence. It is quite likely that individual investigators, organizations and jurisdictions will continue to use certain methods, processes, and controls, but standardized methods, approaches, and controls are anticipated to be adopted internationally, which should simplify cross-pollination, comparison, and contrast of investigations, regardless of who performed the investigations or where they occurred.
Scope and objectives
The standard discusses the underlying principles of, as well as the forensic analysis involved in investigating incidents.
According to the standard:
“provides guidelines that encapsulate idealized models for common incident investigation processes across various incident investigation scenarios involving digital evidence. This includes processes from pre-incident preparation up to and including returning evidence for storage or dissemination as well as any general advice and caveats on such processes. The guidelines describe processes and principles applicable to various kinds of investigations … In summary, this International Standard provides a general overview of all incident investigation principles and processes without prescribing particular details.”
[cited from DIS version]
The standard’s status
2015 saw the publication of the standard.
Standards relevant to this topic
The ISO/IEC 27037 standard concerns the initial capture of digital evidence.
ISO/IEC 27041 guides digital forensics’ assurance aspects, such as ensuring the use of the right tools and methods.
The ISO/IEC 27042 standard covers the analysis and interpretation of digital evidence after it has been collected. In this standard, incident investigation activities, within which forensics are usually performed, are covered.
The ISO/IEC 27050 standard (in four parts) issues a directive relating to electronic discovery, which is similar to what the other standards set out. According to British Standard BS 10008:2008, electronic information holds an equivalent weight and is legally admissible.
The fact that SC 27 is developing several distinct forensics standards covering different aspects of forensics is puzzling since they are complementary aspects of the same process. My preferred standard would be a multi-part standard with the normal overview (Part 1) to illustrate how the various pieces fit together.