ISO IEC 27037-2012 PDF

Full title and description

ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence. Provides practical guidance for the handling of potential digital evidence (identification, collection, acquisition and preservation) across a range of devices and networked environments to support investigations and the exchange of evidential material between jurisdictions.

Abstract

ISO/IEC 27037:2012 gives guidance on common activities and good practice when dealing with digital evidence so that evidential value is preserved and documented. The standard covers identification of potential digital evidence, appropriate collection and acquisition techniques, preservation of state and integrity, and documentation required to support forensic and legal processes. It is intended as guidance (not a prescriptive or certification standard) to help organisations, technical staff, investigators and legal stakeholders manage digital evidence consistently and defensibly.

General information

• Status: Published (first edition).
• Publication date: 15 October 2012 (Edition 1, 2012).
• Publisher: ISO/IEC (ISO and IEC, developed by ISO/IEC JTC 1/SC 27).
• ICS / categories: 35.030 (Information security and related technologies).
• Edition / version: 1 (2012).
• Number of pages: 38 pages.

Scope

This International Standard provides guidelines for the identification, collection, acquisition and preservation of digital evidence that may be of evidential value. It applies to a wide range of devices and environments including standard computer storage media (hard drives, optical media), mobile phones and PDAs, memory cards, navigation systems, digital still and video cameras (including CCTV), networked computers and TCP/IP-based networks, and similar devices. The scope is limited to preparatory, handling and preservation activities and does not prescribe detailed analytical techniques.

Key topics and requirements

• Principles for identifying potential digital evidence at a scene or within an organisation.
• Recommended procedures for collection and acquisition to avoid alteration or loss of evidence.
• Preservation techniques to maintain integrity (including imaging, write-blocking and secure storage).
• Chain of custody and documentation: recording who, what, when, where and how evidence was handled.
• Considerations for various device types (mobile, removable media, cameras, networked systems).
• Roles and responsibilities for persons handling digital evidence and interaction with legal/disciplinary processes.
• Guidance on cross-jurisdictional exchange and admissibility considerations (procedural, not legal advice).
• Emphasis on guidance and good practice rather than prescriptive technical specifications.

Typical use and users

Used by digital forensics practitioners, incident response teams, IT security staff, internal investigators, law enforcement, legal counsel and compliance officers. Also referenced by organisations establishing internal procedures for evidence handling, by accreditation bodies when assessing forensic practice, and by trainers developing forensic procedure documentation.

Related standards

ISO/IEC 27037 sits within the ISO/IEC 27000 family and is commonly used alongside other investigative guidance documents from the same series, notably ISO/IEC 27041 (guidance on assuring suitability and adequacy of investigative methods), ISO/IEC 27042 (guidelines for analysis and interpretation of digital evidence) and ISO/IEC 27043 (incident investigation principles and processes). It is also often considered in conjunction with organisational information security management standards such as ISO/IEC 27001 and ISO/IEC 27002 and with regional/national forensic guidance and best-practice documents.

Keywords

digital evidence, electronic evidence, digital forensics, identification, collection, acquisition, preservation, chain of custody, incident response, evidence handling, ISO/IEC 27037.

FAQ

Q: What is this standard?

A: ISO/IEC 27037:2012 provides guidance on identifying, collecting, acquiring and preserving digital evidence so that its integrity and evidential value are maintained for investigations and legal processes.

Q: What does it cover?

A: It covers principles and recommended practices for handling potential digital evidence across a variety of devices and networked environments, documentation and chain-of-custody considerations, and roles/responsibilities for evidence handlers. It provides guidance rather than prescriptive technical methods.

Q: Who typically uses it?

A: Digital forensic examiners, IT incident responders, security operations teams, internal investigators, law enforcement, legal and compliance professionals, and organisations creating or validating forensic handling procedures.

Q: Is it current or superseded?

A: The document is the first edition published on 15 October 2012 and is the published international standard. It has been subject to ISO periodic review (for example confirmed in 2018) and reviewed again in later systematic reviews; users should check national adoption notes or ISO updates for any revision activities. As of the original publication there is no later ISO/IEC edition that replaces the 2012 text.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family addressing information security techniques and is closely related to investigative guidance standards ISO/IEC 27041, ISO/IEC 27042 and ISO/IEC 27043.

Q: What are the key keywords?

A: Digital evidence, electronic evidence, forensics, identification, collection, acquisition, preservation, chain of custody, incident response.