Last October in Rome ISO/IEC SC 27 held its 45th Meeting. SC 27 is the ISO subcommittee responsible for information security standards. We saw a significant evolution in the work regarding digital evidence and digital investigation, first and foremost the formal publication of ISO/IEC 27037:2012 (identification, collection, acquisition and conservation of digital evidence)
Work goes on on other four new guidelines, going into CD status, which will form a complete family of standards covering all phases of a digital investigation
ISO 27042 – “Guidelines for the analysis and ingterpretation of digital evidence” – This standard aims to detail guidelines for processes logically following those covered in ISO 27037: analysis of (potential) evidence and interpretation, together with reporting the results.
ISO 27035 – “Information security incident management” – In part two of this new standard readiness processes are covered, i.e. processes design and implemented before any incident and subsequent investigation, as part of general readiness planning.This is essential in order for the organization to be able to perform rapidly and effectively forensic activities before restoring functionality; otherwise the focus would be to restore systems to assure business continuity but losing forever any evidence that could have been collected. This is also one of the controls included in ISO 27001/27002 for risk mitigation.
ISO 27041 – “Guidance on assuring suitability and adequacy of investigation methods” – Methods and tools used in digital investigation need to be “validated” for their use and here criteria to assure this are detailed. The validation concept was already present in 27037 but without many details.
ISO 27043 – “Investigation principles and processes” – This will be an overarching guideline, defining general principles and processes for all kinds of digital investigations.
Looking at the digital investigation workflow, the first two new standards should be placed respectively before and after the already processes covered by ISO 27037, while the last two contain basic principles to be applied in all the activities. When all this new guidelines will be completed, they will form a coherent corpus which will be the first worldwide reference for the field, covering criminal, civil and corporate digital investigations.
Future posts will delve in detail into this documents, as they came out of the Rome plenary meeting.