ISO/IEC 27050:2016+ — Information technology — Security techniques — Electronic discovery
The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organizations and jurisdictions may well retain certain methods, processes and controls in compliance with local laws, regulations and established practices, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organizations and potentially across different jurisdictions.
Scope and purpose
This multi-part standard concerns the discovery phase, specifically the discovery of Electronically Stored Information (ESI), a legal term-of-art meaning (in essence) forensic evidence in the form of computer data. Electronic discovery (eDiscovery) involves the following main steps:
- Identification: ESI that is potentially relevant to a case is identified, along with its locations, custodians, sizes/volumes etc. Note: this can be more complex than it may appear, for instance involving information assets belonging not just to the individual suspects but also their employers, friends and other organizations such as phone companies and the suppliers of services such as email and Internet access (ISPs), even social media. Operational/online data, backups and archives may all contain relevant data. Often, this phase is time-critical since potential evidence (especially ephemeral operational data) may be spoiled before it has been preserved and collected;
- Preservation: the identified, potentially relevant ESI is placed under a legal hold, starting the formalized forensic process designed to ensure, beyond doubt, that they are protected through the remaining steps against threats such as loss/theft, accidental damage, deliberate interference/manipulation and replacement/substitution, any of which might spoil, discredit and devalue the data, perhaps resulting in the ESI being ruled inadmissible or more simply being unusable. The legal hold is essentially a formal obligation on the custodian not to interfere with or delete the ESI. Note: this may have implications on live systems since their continued operation may spoil the ESI;
- Collection: the ESI is collected from the original custodian, typically by physically removing the original digital storage media (hard drives, memory sticks and cards, CDs, DVDs, whatever) and perhaps associated physical evidence (such as devices, media storage cases, envelopes etc. that might have fingerprints or DNA evidence linking a suspect to the crime) into safe custody. In the case of Internet, cloud or other dispersed and ephemeral data including RAM on a running system, it may be impracticable or impossible to secure the data by capturing physical media, hence the data rather than the media may need to be captured directly in a forensically sound manner. Note: the original evidence may later be produced in court hence all subsequent forensic analysis must be performed in such a way that there is no credible possibility that it might have been spoiled e.g. by analyzing bit-copies made with suitable forensic tools and methods rather than the original evidence itself. Note also that physically removing systems and media into the custody of a third party could itself be classed as an information security incident with clear implications on the confidentiality, integrity and availability of the information, particularly since, at this stage, the case is not proven: in other words, liabilities may be accumulating;
- Processing: forensic bit-copies are stored in a form that allows them to be searched/analyzed for information that is relevant to the case, using suitable forensic tools and platforms. Sifting out the few vital bits of data from a much larger volume typically collected is the crux of this step;
- Review: forensic bit-copies are searched for information that is relevant to the case;
- Analysis: the information is analyzed and assessed as to its relevance, suitability, weight, meaning, implications etc. Useful information is gleaned from the selected data;
- Production: the relevant information from the analysis, plus the original storage media etc., is presented to the court as evidence. This inevitably involves demonstrating and explaining the meaning of the evidence in terms that make sense to the court. Hopefully, something along the lines of “I state, under oath, that we complied fully with ISO/IEC 27050” will, in future, side-step a raft of challenges concerning the eDiscovery processes!
“It is important to note that [ISO/IEC 27050] is not intended to contradict or supersede local jurisdictional laws and regulations. Electronic discovery often serves as a driver for investigations as well as evidence acquisition and handling activities. In addition, the sensitivity and criticality of the data sometime necessitate protections like storage security to guard against data breaches.” [quoted from the second CD of ISO/IEC 27041]
“This International Standard is not a reference or normative document for regulatory and legislative security requirements. Although it emphasizes the importance of these influences, it cannot state them specifically, since they are dependent on the country, the type of business, etc.” [quoted from the DIS version of ISO/IEC 27050-1]
ISO/IEC 27050-1:2016 Information technology — Security techniques — Electronic discovery — Overview and concepts
- An overview of eDiscovery;
- Defines the terms, concepts, processes etc. e.g. ESI (Electronically Stored Information);
- Introduces and defines the scope and context of this multi-part standard;
- Status: part 1 was published in 2016.
ISO/IEC 27050-2 (DRAFT) Information technology — Security techniques — Electronic discovery — Guidance for governance and management of electronic discovery
- Guides management on identifying and treating the information risks related to eDiscovery e.g. by setting and implementing eDiscovery-related policies and complying with relevant (mostly legal) obligations and expectations;
- Provides guidance on good governance for forensics work i.e. the overarching framework or structure within which digital forensic activities take place and are managed through a controlled, repeatable and trustworthy suite of activities;
- Suggests a few possible metrics.
- Status: now in FDIS, part 2 looks likely to surface during 2018.
ISO/IEC 27050-3:2017 Information technology — Security techniques — Electronic discovery — Code of practice for electronic discovery
- Identifies requirements and offers guidance on the seven main steps of eDiscovery noted above (ESI identification, preservation, collection, processing, review, analysis and production);
- Essentially, a basic, generic how-to-do-it guide laying out the key elements that will no doubt form the basis of many digital forensics manuals in due course;
- Status: part 3 was published at the end of 2017.
ISO/IEC 27050-4 (DRAFT) Information technology — Security techniques — Electronic discovery — ICT readiness for electronic discovery
- Guidance on eDiscovery technology i.e. the forensic tools and systems supporting the collection, storage, collation, searching, analysis and production of ESI, plus the related processes;
- I doubt “ICT” will be permitted in the final title, at least not without expanding it;
- Status: the project developing part 4 was re-booted in 2017.
ISO/IEC 27037 concerns the initial capturing of digital evidence.
ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly.
ISO/IEC 27042 covers what happens after digital evidence has been collected i.e. its analysis and interpretation.
ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur.
The 4 parts of this standard concern electronic discovery ... which is similar to the other standards.
British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification.” may also be of interest.
The word “evidence” has been eliminated from the standard, presumably because of troubling differences of interpretation and implication in various jurisdictions. “Electronically Stored Information” is a clumsy replacement but at least “ESI” is succinct!
I’m pleased to note that part 2 includes a set of information risks. The list is incomplete, for example it fails to mention that damage, theft, loss or some other incident affecting ESI can compromise its value and admissibility in court, potentially decimating an otherwise valid case. Although also incomplete and subject to discussion, the generic Analog Risk Assessment metric below (a version of a Probability Impact Graph or PIG) attempts to show how various risks in this context compare to each other using two key risk parameters i.e. likelihood (relative probability) and severity (relative organizational/business impact, importance or consequence):
Given that these are all aspects of eDiscovery, it makes sense to cover them as one multi-part coherent standard. This should be a very worthwhile international standard, particularly if it aligns the terminology, processes and controls across various jurisdictions. It would be wonderful if the digital forensics-related laws, regulations and practices were also aligned but that’s just a pipe dream!
I wonder if there might, in due course, be a demand for certified compliance with ISO/IEC 27050 and perhaps the other digital forensics standards, as a way to add credibility to the assertion noted in step 7 above ... ?