Regulations and standards for the digital forensic field (II of III)

Today the series Norms and standards for the digital forensic field will continue, which began last Monday with its first edition, which can be consulted at the following link:

https://www.flu-project.com/2025/06/normativas-estandares-forense-1-de-3.html

ISO/IEC 27043: Guidelines for conducting forensic investigations

ISO/IEC 27043 defines a comprehensive methodological framework for conducting digital investigations. Unlike 27037, which focuses on evidence acquisition, this standard covers the entire investigative process, from planning and incident detection to presenting conclusions. It is especially useful for structuring a formal response plan in cases of cyber incidents requiring technical expertise.

The added value of this standard lies in its orientation to the investigation lifecycle, allowing a systemic approach based on well-defined phases, techniques, and objectives. Additionally, it promotes coherence among different disciplines (cybersecurity, legal, audit) by using common terminology that improves communication and traceability among stakeholders.

ISO/IEC 20000-1: IT Service Management

Although more associated with IT service management than security per se, the ISO/IEC 20000-1 standard is relevant when analyzing incidents linked to technology service providers. This standard sets requirements to ensure that services provided align with quality, availability, and incident response needs, including those of a forensic nature.

The investigator can use it as a framework to analyze the Service Level Agreements (SLA) in effect at the time of the incident and determine if the provider's performance was within expectations. Likewise, it allows examining how previous incidents were managed, which can offer clues about possible negligence or unresolved failure patterns.

ISO 22301: Business Continuity Management

ISO 22301 defines the principles for establishing a business continuity management system (BCMS), including preparation and recovery from disruptive events. In environments where a cybersecurity incident has affected the availability of critical services, this standard can help assess whether the organization had adequate contingency plans.

From a forensic point of view, 22301 can serve as a reference to analyze whether the recovery procedures applied after the incident respected the principles of evidence integrity or, on the contrary, if actions were taken that destroyed key data. It can also guide the evaluation of continuity evidence prior to the incident.

ISO/IEC 25000: Software Quality

The ISO/IEC 25000 family, known as SQuaRE, establishes criteria for software quality evaluation. In investigations related to security failures in applications, this standard allows the expert to determine if the product involved met minimum metrics of security, maintainability, traceability, or robustness.

Software quality analysis can be decisive in investigations of vulnerability exploitation, especially in environments with internal developments or legacy systems. The standard facilitates the construction of solid technical arguments regarding the responsibility of the manufacturer or developer, based on objective standards.

ISO/IEC 38500: IT Governance

The ISO/IEC 38500 standard establishes principles for corporate governance of information technologies. Although it is not a technical security or forensic standard, its value lies in allowing analysis of the level of senior management involvement in technological risk management. This can be relevant in expert assessments seeking to establish responsibilities at the organizational level.

The forensic expert can refer to this standard when needing to assess whether strategic decisions in IT have been aligned with principles of responsibility, strategy, and performance. Its application is especially useful in large-scale expert audits or when analyzing structural failures in the IT management systems of the evaluated entity.

UNE 197001: Criteria for judicial expert reports

The UNE 197001 standard provides a national reference framework for the preparation of expert reports and opinions to be presented before judicial bodies. Its application is essential in digital forensic investigations that require a legally valid format. It establishes criteria on formal structure, technical language, clarity of exposition, source traceability, expert identification, methodology used, and well-founded conclusions.

The practical value of this standard lies in allowing the digital expert to build a solid, technically rigorous, and legally defensible document. In the context of email analysis, for example, it facilitates the clear and orderly presentation of evidence such as technical headers, metadata, network traces, or correlation with system logs. Alignment with UNE 197001 significantly improves the acceptance of the report by judges, lawyers, and other parties involved.