ISO/IEC 27050

ISO/IEC 27050:2018-2021 – Information technology — Security techniques — Electronic discovery (parts 1 – 4 published)

Introduction

The ISO27k standards are intended to promote quality methods and processes for capturing, processing, and analyzing digital evidence forensically. Even though individual investigators, organizations, and jurisdictions might retain specific methods, processes, and controls tailored to their local laws, regulations, and practices, standardization may (in the future) lead to similar or even identical approaches worldwide, which makes it easier to compare and contrast investigations conducted by different people or organizations across diverse jurisdictions.

Scope and objectives

There are multiple parts to this standard that deal with the discovery phase, especially the discovery of “Electronically Stored Information,” which is (basically) forensic evidence in the form of digital data.

The main steps of electronic discovery (eDiscovery) are:

1. Identification: Potentially relevant ESI is identified as well as its location, custodian, size/volume, etc. There is more to this than appears at first glance, including information assets that belong to not only the suspects but to their employers and friends, as well as other organizations such as phone companies and Internet service providers (ISPs), including social media. Backups, archives, and operational/online data may all contain relevant information. This phase is often time-critical because ephemeral data (such as operational evidence) may be destroyed or spoilt before being captured and preserved;
2. Preservation: After identifying, potentially relevant ESI, a legal hold is applied to it, thereby starting the formal forensic process that ensures the data will be protected beyond doubt from threat factors such as loss/theft, destruction by accident, tampering, and data replacement/substitution, which may cause the ESI to be rendered inadmissible or unusable through damage, discredit, and tampering. In essence, the legal hold gives the custodian an obligation not to delete or alter the ESI. Note: Live systems may be affected by this, as their continued operation may contaminate the ESI;
3. Collection: Typically, ESI is collected from the original custodian through physical removal of relevant local storage media (such as hard drives, memory sticks, CDs, and DVDs) as well as physical evidence (including fingerprints, envelopes, storage cases, etc.) for safekeeping. It may not be feasible to secure Internet, cloud or ephemeral data including RAM by capturing physical media, hence it may be necessary to capture the data directly using forensically sound methods rather than capturing the media. Noting that the original evidence may later be presented in court, subsequent forensic examinations must ensure that there is no reasonable possibility that it has been compromised, for instance through the use of forensic tools and methods rather than examining the original pieces of evidence directly.
Note also that physically removing systems and media can itself be considered an incident involving information security, especially since the case is still unproven: liability may be building until the incident is proved;
4. Processing: With suitable forensic tools and platforms, bit-copies of the evidence can be searched for information relevant to the investigation. This step involves selecting the few essential bits of information from a much larger volume of data typically collected;
5. Review: Bit-copies of forensic evidence are searched or analyzed for information that may be relevant;
6. Analysis: Detailed analyses are carried out to determine what information is useful, suitable, weighted, significant, etc. The selected data are used to extract beneficial knowledge;
7. Production: The court receives all the relevant information from the analysis, as well as the original storage media, etc. As a result, the evidence must be presented and explained in terms that make sense to the court. Perhaps something along the lines of “I swear under oath that we have complied fully with ISO/IEC 27050” will, in future, sidestep a host of challenges in eDiscovery!

“It is important to note that [ISO/IEC 27050] is not intended to contradict or supersede local jurisdictional laws and regulations. Electronic discovery often serves as a driver for investigations as well as evidence acquisition and handling activities. In addition, the sensitivity and criticality of the data sometimes necessitate protections like storage security to guard against data breaches.” “[quoted from ISO/IEC 27041, second CD]”.

“This International Standard is not a reference or normative document for regulatory and legislative security requirements. Although it emphasizes the importance of these influences, it cannot state them specifically, since they are dependent on the country, the type of business, etc.” [from the DIS version of ISO/IEC 27050-1].

ISO/IEC 27050-1:2019 — Information technology — Security techniques — Electronic discovery — Part 1: Concepts and overview

– A brief overview of eDiscovery;
– Describes the concept, operations, methods, etc. like Electronically Stored Information;
– Describes the objectives, scope, and context of this multi-part standard;
– Status: Part one was published in 2016 and updated in 2019;
– Part 1 was available for free on the ITTF website for a short time, but no longer is.

ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery

– Provides management with guidance on how to identify and handle eDiscovery-related information risks, for example by implementing appropriate eDiscovery policies and complying with relevant legal expectations and obligations;
– Outlines the principles of good governance in handling forensic investigations, namely the overarching structure on which activities related to digital forensics should be carried out and managed in a controlled, repeatable and trustworthy manner;
– Outlines a few metrics to consider;
– Status: Part 2 of the standard was published in 2018.

ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery

– Outlines the requirements and offers guidelines for the seven main steps of eDiscovery noted above (identifying ESI, preserving it, collecting it, processing it, reviewing it, and producing it);
The manual lays out the key elements of a basic digital forensics guide that will be the foundation for many future manuals;
– Status: Part 3 was originally published in 2017 and was revised in 2020.

ISO/IEC 27050-4:2021 — Information technology — Electronic discovery — Part 4: Technical readiness

– Guiding in preparing the technical infrastructure (including forensic tools and systems for collection, storage, collation, searching, analysis, and production of ESI as well as related processes) which will be necessary for eDiscovery.
– The formal definition of technical readiness is the “state of having the knowledge, skills, processes and technologies needed to address a particular issue or challenge”.
– Similarly, “Technical readiness means having the knowledge, skills, processes, and technologies needed to address a particular issue or challenge. For an organization, this doesn’t mean that it is all-knowing and able to do everything, but rather it is fit for purpose and ready for the task at hand, including any contingency that can occur.”
– In addition, “Technical readiness is the achievement of the appropriate level of capability by an organization for it to be able to identify, preserve, collect, process, review, analyse and produce ESI. It is also important the ESI is protected (for example, backup, business continuity management, or security) and organized so that this material can be used effectively.”
– 35 pages focus on selecting, preparing, and applying tools to the various steps in the electronic discovery process, including the storage, production and eventual destruction of ESI.
– The standard provides general guidelines without specifying or recommending proprietary or open-source tools.
– Publication date: April 2021.

Standards related to the topic

ISO/IEC 27037 deals with the initial capture of digital evidence.

ISO/IEC 27041 guides the assurance aspects of digital forensics, such as ensuring the appropriate methods and tools are being used.

The ISO/IEC 27042 standard covers the analysis and interpretation of digital evidence after it has been collected.

Usually, forensics is part of the broader incident investigation activities covered by ISO/IEC 27043.
As with the previous standards, the 4 parts of this standard pertain to electronic discovery. British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification” is also worth a look at.

Commentary

Due to troubling differences of interpretation and implication among jurisdictions, the term “evidence” has been eliminated from the standard. “Electronically Stored Information” is a clunky substitute, thankfully shortened to “ESI”.

Part 2 includes a set of information risks, which I appreciate. There are several exceptions to the list, such as damage, theft, loss, or other types of incidents that may affect the value and admissibility of ESI in court, potentially bringing an otherwise valid case to a halt. As well as being incomplete and subject to discussion, the Analog Risk Assessment metric (a variation of a Probability Impact Chart) attempts to illustrate the relative importance of various risks in this context based on two key parameters including likelihood (probability degree) and severity (impact or consequence on an organization or business):

As all of these aspects of eDiscovery are related, it makes sense to cover them as one coherent multi-part standard. Especially since it explains how processes, terminology, and controls are all aligned across various jurisdictions, this should be an important international standard. If only the laws, regulations and practices relating to digital forensics were unified, it would be great.

As a way to add credibility to the assertion noted in step 7 above, maybe there will be a demand for certification against ISO/IEC 27050 and perhaps the other digital forensics standards in the future.