Here is a scenario I have seen play out several times. A security incident occurs in an organization. The internal team (or an external consultant) starts digging through systems: someone collects event logs, another takes screenshots, a third tries to reconstruct the sequence of events on their own copy of the data.

Three weeks later, when the insurer asks to see the investigation report, nobody can clearly explain who did what, in what order, and with what method. The evidence exists, but its value is contestable because the process was not documented.

This scenario is not an exception. It is the norm in organizations that do not have a structured investigation framework.

ISO/IEC 27043 exists precisely for that.

What is ISO/IEC 27043?

ISO/IEC 27043:2015, titled Incident investigation principles and processes, is an international standard that establishes the principles and processes of a digital investigation (also called digital forensics).

It defines the process classes to follow in any investigation involving digital evidence: unauthorized access, data breach, internal fraud, system compromise, or any other attack on information security.

It is not an operational guide for technical investigators. It is a high-level reference framework that harmonizes investigation practices, regardless of incident type or organization size.

The standard is intentionally abstract so it applies equally to an investigation on a compromised server, a mobile device, a cloud environment, or an industrial system.

“The standard provides guidelines encapsulating idealized models for investigation processes common across different investigation scenarios, from pre-incident readiness processes through to investigation closure.” — ISO/IEC 27043:2015

The fundamental principle behind all of this is repeatability: two competent investigators, in similar conditions, applying the same methods, must obtain the same result. If that is not the case, the method used is questionable — and so is the evidence.

For a decision-maker or manager, here is the practical translation: if your investigation process cannot be reproduced and explained step by step to a judge, your insurer, or a regulatory authority, you are vulnerable.

The 5 process classes

ISO 27043 structures digital investigation into five major process classes. I present them in the logical order of a complete investigation.

1. Readiness processes

These processes take place before any incident. The organization defines probable investigation scenarios for its context, identifies its potential sources of digital evidence (event logs, cameras, system access logs), configures its IT architecture to facilitate evidence collection, and trains its teams.

The standard qualifies these processes as optional. I disagree with that wording. In practice, an unprepared organization will improvise during an incident, and improvisation costs dearly: in time, money, and credibility during legal or regulatory proceedings.

A concrete preparation example: you know your server event logs are retained for only 30 days by default. When an incident is discovered 45 days after the fact, those logs no longer exist. If you have done the preparation work, you have already reviewed your retention policy and extended that period. The standard provides the framework to do this exercise in a structured way, linked to a risk analysis.

2. Initiation processes

This is where the investigation actually begins: incident detection, initial response, investigation planning, and resource preparation.

First response is the most critical phase. Missteps at this stage can destroy irreplaceable evidence. Shutting down a server without first capturing the state of live memory (RAM) erases all volatile data: active connections, running processes, encryption keys. Opening or modifying files on a compromised system changes their metadata (access date, modification date) and can render them unusable as evidence. These are not rare errors. They are natural reflexes when there is no established procedure.

The standard stresses an important point: planning at this stage must use validated processes (see ISO/IEC 27041). This is not the time to improvise methods.

3. Acquisition processes

Identification, collection, acquisition, transport, and storage of potential digital evidence. Each step must preserve data integrity. In practice, that means verifiable forensic copies (bit-for-bit images accompanied by hash functions to prove no modification occurred), documentation of every handling, and physically secure storage.

The distinction between “collecting” and “acquiring” is important. Collecting means taking possession of physical equipment. Acquiring means creating a forensic copy of the data. Acquisition can be done on site or in a lab, depending on equipment type and situation.

Until data has been analyzed and confirmed as relevant, it is considered “potential digital evidence.” It is not yet evidence in the legal sense.

4. Investigation processes

Analysis of potential evidence, interpretation of results, report production, and presentation of conclusions. This is the phase where “potential evidence” becomes “evidence” once its relevance to the investigation is established.

The standard highlights a point I find often underestimated in organizations: the report must be understandable to a non-technical audience. Judges, managers, insurers, board members — these people will read your investigation report and make decisions based on its conclusions. If the report is incomprehensible to them, it does not fulfil its role.

Too often, I have seen investigation reports so technical they became unusable for decision-makers. The standard explicitly specifies that the report must be “clear, concise, and unambiguous in its statements.” That is a requirement, not editorial advice.

5. Concurrent processes

These six processes run in parallel throughout the investigation, from detection to closure. They guarantee the legal admissibility of evidence.

  • Obtaining authorizations: every action in the investigation must be authorized by the parties concerned (system owners, competent authorities, management). Accessing systems without adequate authorization, even during a legitimate investigation, can create legal problems.
  • Documentation: everything must be recorded — activities and observations. No documentation, no proof that the process was followed correctly.
  • Information flow management: who communicates what, to whom, and through which channel. This includes protecting investigation data itself, notably through encryption and authentication mechanisms between investigators.
  • Chain of custody preservation: demonstrating that evidence was not altered between collection and presentation. This is the most critical process for legal admissibility.
  • Digital evidence preservation: maintaining the integrity of the original at all times, from detection through closure.
  • Interaction with physical investigation: coordination when a physical investigation (police, private investigators) runs in parallel.

Chain of custody is your ultimate safety net. It answers the question any defence lawyer will ask: “How do you know this evidence was not modified?” Without documented chain of custody, you cannot answer.

The ecosystem around ISO 27043

ISO 27043 is deliberately a high-level framework standard. It defines the overall architecture, not execution details. For that, it relies on a family of complementary standards.

ISO/IEC 27035 (information security incident management) is the natural entry point to ISO 27043. It structures incident response in three parts: principles, guidance for planning and preparation, guidance for response. When your ISO 27035 process signals that an incident requires investigation, you move into ISO 27043 territory.

ISO/IEC 27037 (identification, collection, acquisition, and preservation of digital evidence) is the operational standard for your field team. It specifies how to proceed with different types of equipment and media (computers, mobile devices, networks, cloud environments). This is the standard your forensic technicians use daily during the acquisition phase.

ISO/IEC 27041 (assurance for investigation methods) ensures that methods and tools used during the investigation are appropriate and can be demonstrated as such. It is directly linked to the admissibility of evidence before a court or arbitrator.

ISO/IEC 27042 (analysis and interpretation of digital evidence) covers the analysis phase in detail. Where ISO 27043 says “analyze evidence and interpret results,” ISO 27042 explains the methods to do so rigorously and repeatably.

ISO/IEC 30121 (governance of digital forensic risk framework) is the standard I recommend CISOs present to their board of directors. It addresses governance bodies specifically and guides them in the organization’s strategic preparation for digital investigations. It answers the question “What does it take, in resources and decisions, to prepare properly?”

ISO/IEC 27040 (storage security) applies to secure preservation of evidence during and after the investigation, and to compliant destruction of data at case closure.

In summary: ISO 27043 tells you what to do and in what order. The satellite standards tell you how to do it for each specific phase. They do not replace each other; they complement each other.

Who should champion ISO 27043 in your organization?

The standard touches several functions: information security (CISO), legal (DPO or legal counsel), IT operations, and ultimately management. In practice, the CISO often leads adoption of the framework, with legal support for admissibility and authorization aspects.

What I recommend: name a digital investigation lead before you need one. Define who makes decisions in the first hours of an incident (system isolation, evidence collection, external communication). These decisions are not made well under pressure if they have never been planned.

When to refer to it

During a security incident with legal or contractual implications. As soon as there is a possibility of litigation, insurance claim, or regulatory complaint, the investigation must follow a structured, repeatable framework. ISO 27043 is that framework. It is not a suggestion.

When you engage an external provider for a forensic investigation. How do you assess whether their methods are adequate? By verifying they comply with ISO 27043 and ISO 27041 principles. Ask them explicitly. A serious provider will know these standards and can explain how their processes align.

Within your ISO 27001 certification. Clauses 5.24 through 5.28 of ISO 27001:2022 cover information security incident management. ISO 27043 naturally complements ISO 27035 for the investigation component and demonstrates a higher maturity level during a certification audit.

When a confidentiality breach is subject to Bill 25 or GDPR. A structured investigation is often required to understand the extent of a breach and demonstrate your diligence to regulatory authorities (Quebec’s Commission d’accès à l’information, France’s CNIL). The documentation you produce will be scrutinized. A framework like ISO 27043 demonstrates you followed a recognized process.

To assess your current level of preparedness. ISO 27043’s Readiness processes are an excellent self-assessment framework. Here are concrete questions: Have you identified your potential sources of digital evidence? Do your systems generate the event logs you would need? What is your retention policy for those logs? Do your teams know what to do in the first 30 minutes of an incident? If you do not have clear answers, you are not ready.

What you should remember

ISO/IEC 27043 is not a standard for forensic investigators only. It is a standard for everyone who must supervise, oversee, or evaluate a digital investigation: CISO, DPO, risk managers, SMB leaders.

The standard dates from 2015 and has not been revised since. The digital landscape has evolved (cloud, connected objects, artificial intelligence). But its fundamental principles — repeatability, chain of custody, systematic documentation, authorization for every action — remain as valid as on day one. They are principles, not technical recipes.

The enemy of security is complexity. A structured framework like ISO 27043 does not add complexity; it eliminates it by providing a logical order of operations that everyone understands.

If you have never reviewed your digital investigation preparedness programme, that is where I encourage you to start. Not after the incident.

Sources