Home · Synthesis · cl-forensic-evidence-collection

Forensic capability and evidence collection

CERT-In ISO 27001 PCI DSS RBI CSF SEBI CSCRF NIST CSF 2.0

Primary statement

Forensic capability — internal team OR CERT-In empanelled external vendor on retainer (SEBI RS.3 + RBI RS.3). Chain-of-custody preserved. ISO A.5.28 evidence collection procedure. SEBI CSCRF DE.3 log collection supports forensic analysis. CERT-In Direction 5 mandatory annual audit by empanelled auditor.

Audit-fatigue payoff

A single forensic capability — retained CERT-In empanelled firm + documented chain-of-custody + log retention supporting forensics — satisfies forensic requirements across all 6 contributing frameworks.

Strictness matrix

Scope

Scope: identification, collection, acquisition, preservation of evidence related to information security events. Four operations — not just collection. Ceiling source: iso27001:A.5.28 Rationale: ISO 27001 A.5.28 four-operation scope is the canonical specification.

Threshold

Threshold: internal team OR CERT-In empanelled external vendor on retainer. Empanelment is binary qualifier. Ceiling source: sebi_cscrf:CSCRF.RS.3 Rationale: SEBI RS.3 CERT-In empanelment is the audit-defensible threshold.

Method

Method: forensic capability documented + chain-of-custody preserved + industry-standard tools + log retention sufficient (cl-logging) + procedures tested annually. Ceiling source: sebi_cscrf:CSCRF.RS.3 Rationale: SEBI RS.3 method is the most prescriptive forensic specification.

Frequency

Capability availability: continuous. Retainer test exercise: annual. Procedure review: annual + post-incident. Ceiling source: sebi_cscrf:CSCRF.RS.3 Rationale: Annual retainer test is the audit-defensible periodic cadence.

Evidence

Evidence: forensic retainer agreement + CERT-In empanelment certificate + chain-of-custody procedure + sample forensic engagement + log retention supporting forensics + annual exercise records. Ceiling source: sebi_cscrf:CSCRF.RS.3 Rationale: SEBI RS.3 evidence with empanelment certificate is uniquely strict.

Auditor test pattern

Step 1: Inspect forensic retainer agreement. Step 2: Verify CERT-In empanelment. Step 3: Inspect chain-of-custody procedure. Step 4: Sample one historical forensic engagement. Step 5: Verify log retention supports forensics.

Common findings

Common findings: (1) Retainer with non-empanelled firm; (2) Chain-of-custody procedure absent; (3) Annual retainer test never executed; (4) Log retention insufficient for forensic timelines.