ISO/IEC 27050 Information technology – Security techniques – Electronic discovery

ISO IEC 27050 eForensics

What is ISO 27050?

ISO/IEC 27050 specifies standards and guidelines for electronic discovery activities, such as identifying, preserving, collecting, processing, reviewing, analysing, and producing electronically processed information (ESI).

Additionally, ISO/IEC 27050 outlines pertinent steps spanning the ESI’s lifecycle, from initial conception to ultimate disposal. ISO/IEC is applicable to all non-technical and technical personnel who are interested in any or all aspects of electronic discovery.

It is important to remember that the standards and guidelines are not meant to negate or invalidate applicable local jurisdictional laws and regulations, and the user is required to practise due diligence to ensure consistency with applicable jurisdictional requirements.

What is the purpose of ISO 27050?

The ISO 27050 standards were created with the aim of promoting best practices in forensic capture and investigation of digital discovery.

Although individual investigators, organisations, and jurisdictions may well use these techniques, processes, and controls in accordance with local laws, regulations, and accepted practices, standardisation is hoped to eventually lead to the implementation of similar if not identical solutions globally.  This will make it easier to compare, combine, and contrast the results of those investigations.

See our simple, powerful platform in action

What is Electronic Discovery?

Electronic discovery (sometimes called e-discovery or ediscovery) is the process of identifying, gathering and producing electronically stored information (ESI) in response to a request for production in a lawsuit or investigation.  Documents, emails, databases, presentations, voicemail, audio and video recordings, social media, and web pages are all examples of ESI.

Due to the sheer amount of electronic data generated and processed, the processes and technology associated with e-discovery are often complicated. Furthermore, electronic documents, unlike hardcopy documents, are more dynamic and often include metadata such as time and date stamps, author and receiver information, and file properties.

Preserving the original material and metadata for electronically stored documents is necessary to avoid subsequent accusations of material falsification or manipulation. Hacking for the purpose of collecting vital evidence on a court-ordered or government-sanctioned basis is often a form of e-discovery.

What is Electronically Stored Information (ESI)?

Electronically Stored Information (ESI) is a term you hear often during litigation involving the collection of emails. ESI is defined as any data, records or information that is created, modified, stored electronically or magnetically, and saved on electronic media such as hard drives/devices.

ESI covers the basics of email communication as well as many other types of documents (servers, social media platforms and cloud storage).

If you’re involved in a lawsuit then ESI plays an important role in identifying the key parties to a lawsuit and in documenting the discovery process.

See who we’ve already helped


What is the scope of ISO 27050? (Electronic Discovery Process)?

The following are the primary stages or processes involved in electronic discovery (eDiscovery):


The Electronically stored information (ESI) that may be important to a case is established, along with its locations, custodians, sizes/volumes, and other characteristics.

This may be more complicated, as it can affect not only the participants’ personal records but also that of their families, relatives. The identification can also affect organisations such as telecommunications firms and providers of services such as email and Internet access (ISPs), as well as social media.

This process is often time-sensitive, as information (particularly ephemeral operational data) can be ruined or lost prior to being collected and stored.


Legal holds are placed on the identified relevant ESI, initiating the formalised forensic process intended to guarantee, beyond doubt, that these items are safe through the remaining stages against the following threats: loss/theft, accidental damage, intentional manipulation, replacement/substitution.

There are activities that are likely to damage, discredit, and devalue the ESI, perhaps resulting in its being ruled inadmissible or simply useless.

Legal holds are basically rules that keep the custodian from tampering with or erasing electronic documents.

Those who fail to do so may face sanctions.

The court still has the power to fine the defendant even if it ruled that the failure to preserve as a result of negligence if the inability to preserve the data significantly compromises the defence.


The ESI is usually collected from the original custodian by physically retrieving the original portable storage media, such as memory devices, hard drives, CDs, DVDs, etc. and perhaps related physical evidence that may include fingerprints or DNA evidence tying a suspect to a crime.

In the case of the Internet, cloud, or other distributed and ephemeral data, such as RAM on an operating system, it may be impractical or difficult to protect the data through physical media capture, and therefore the data must be collected directly in a manner that is forensically appropriate.

Certain businesses that deal with a high volume of lawsuits have software in place to automatically place legal holds on specific custodians in response to a trigger case (such as a legal notice) and initiate the collection process immediately. Some businesses may need the assistance of a digital forensics specialist to avoid data spoliation.


Native files are prepared for loading into a document review portal during the processing phase. This process often includes the extraction of text and metadata from the original files. Various data culling procedures, such as deduplication and de-NISTing, are used during this process. At this point, native files are often converted to formats like PDF or TIFF to facilitate redaction and bates-labelling.

Modern processing software may also use sophisticated analytic tools to assist document review lawyers in identifying potentially important documents with greater accuracy.


The electronically stored information is searched or analysed for case-relevant information. Various activities associated with this process can be facilitated by various document review platforms, including the quick identification of potentially relevant documents and the culling of documents based on various criteria (such as keyword, date range, etc.).

Additionally, the majority of review tools make it simple for large numbers of document review attorneys to collaborate on cases, utilising collaborative tools and batch processing to expedite the review process and minimise duplication of effort.


The material is further analysed and evaluated as to its importance, suitability, significance, consequences, etc.


The court receives the relevant material from the analysis, as well as the original storage medium and other documentation. This invariably entails presenting and describing the significance of the facts in ways that the court understands. A load file is often included with this production and is used to load documents onto a document review portal. Documents may be presented as native files or PDF and TIFF with metadata.

REPL-CS was the only tool we found that hit the sweet spot of providing a comprehensive and proven ISMS, ‘out of the box’, at a reasonable price for a mid-sized organisation. And unlike many other solutions, a complete ISMS and data privacy were integrated well in one package.

Andy Loakes

Risk and Compliance Director, REPL

  1. ISO/IEC 27037

    ISO 27037 focuses on the actual collection and storage of potential digital evidence and has nothing else to do with further processing of the evidence, such as its review, presentation, and disposal.

    Individuals who handle digital data should be able to recognise and mitigate threats associated with dealing with this kind of evidence in order to protect it from being degraded and rendered worthless. ISO 27037 establishes the standards that this person can follow in order to safeguard the integrity and authenticity of digital evidence.

  2. ISO/IEC 27041

    ISO 27041 establishes guidelines for ensuring the suitability of procedures and protocols used in the analysis of information security activities. It embodies best practices for identifying requirements, outlining procedures, and demonstrating that these practices meet the standard’s requirements. ISO 27041 provide instructions on the collection and review of data for an evaluation of an information security (IS) incident.

  3. ISO/IEC 27042

    The ISO 27042 standard, which is part of the ISO/IEC 27000 family of standards and was published in 2015, establishes a framework for electronic evidence and its subsequent interpretation. It determines how a specialist would approach the study and eventual understanding of a particular form of digital proof in a given situation. ISO 27042 clearly defines a set of best practices for the collection, design, and implementation of digital evidence.

  4. ISO/IEC 27043

    To make digital evidence from a digital forensic investigation admissible, a formalised and, preferably, a standardised procedure must be followed. This is the objective of ISO 27043. The digital forensic investigation process is governed by ISO 27043. It establishes a series of procedures for investigators to follow in order to preserve the integrity of digital data obtained by e-discovery.

  5. BS 10008:2008

    BS 10008 is a British Standard that defines best practices for the implementation of electronic information management systems, including information storage and transfer. It is intended to assist you in verifying and authenticating all of your records in order to prevent the ethical pitfalls associated with data collection. BS 10008 specifies best practices for electronically exchanging data between applications and migrating paper documents to digital files. Additionally, it establishes rules for handling the availability and accessibility of any documents that could be requested as testimony in court.

ISO 27050 Part 2: Guidance for governance and management of electronic discovery

The ISO 27050-2 standard provides guidelines associated with the electronic discovery processes framework described in ISO 27050-1. It was published in 2018.  ISO 27050-2 establishes a framework for electronic discovery for technical and non-technical senior management staff in an organisation. This covers those accountable for adhering to statutory and regulatory provisions, as well as industry practices.

It provides a best practice framework for forensic work, which describes the structure and controls that should govern all parts of forensic work within a controlled, repeatable and trusted environment.

ISO 27050-2 outlines how e-forensic staff can identify risks associated with electronic discovery, establish policies, and ensure compliance with applicable external and internal standards.

Additionally, it addresses how to establish those policies in a way that they can be used to inform process control. Additionally, it offers guidelines on how to execute and manage electronic discovery in line with the policies.

ISO 27050 Part 3: Code of practice for electronic discovery

The ISO 27050-3 standard provides guidelines associated with the electronic discovery processes framework described in ISO 27050-1. It was published in 2020 and outlines a comprehensive approach to electronic discovery, and offers useful insight into some of the technical advantages and threats that litigation counsel should be mindful of.

ISO 27050-3 provides a set of guidelines that an organisation can use to evaluate its operations, and ensure its competencies are correct, as regards e-discovery.  The standard is a unique resource since it was developed under the direction of legal and information technology security professionals with direct input from legal practitioners, judges, e-discovery professionals, and bar associations.

ISO 27050-3 possesses international recognition and can serve as a shared set of guidelines for those interested in or mediating discovery.  Plus, the fact that the ISO’s code is a global commodity may increase its adoption in instances where the discovery process spans national boundaries and crosses regions.

ISO 27050-3 articulates the goals and outlines the criteria required to allow successful processes and outcomes for each step of the e-discovery process, from preservation to production, by outlining a list of general standards to adopt without exactly defining how they are to be applied.

Notably, ISO 27050-3 highlights the considerations to acknowledge in order to prevent mistakes during each process, alerting practitioners to common pitfalls that can derail an otherwise serious e-discovery attempt.

ISO 27050 Part 4: Technical readiness

Technical readiness is described formally as the “state of possessing the necessary expertise, skills, procedures, and technology to resolve a particular problem or issue.”

It entails possessing the necessary expertise, abilities, procedures, and technology to solve a specific problem or obstacle. This does not mean that an organisation is all-knowing and capable of doing it all; rather, it means that it is fit for purpose and prepared for the mission at hand, including any contingency that might arise.

Technical readiness, as it affects eDiscovery refers to an organisation achieving the required degree of competence in order to recognise, maintain, collect, process, evaluate, analyse, and deliver ESI. Additionally, it is critical that ESI is secure and structured efficiently so that it can be used effectively.

ISO 27050-4 focuses on an organisation’s operational readiness to implement e-discovery. It encompasses the forensic instruments and systems that facilitate the collection, storage, compilation, scan, review, and production of ESI, as well as the associated processes needed for eDiscovery.

Implementing eDiscovery Standard

The significance of eDiscovery cannot be overstated: it is a key catalyst of archiving framework and has important consequences for how organisations preserve, store, and maintain their electronic information. Failure to handle eDiscovery properly may have serious consequences.

At, we leverage our expertise and cutting-edge technology to provide a cloud-based platform that enables you to demonstrate compliance with the eDiscovery standard. We base our electronic exploration projects on the Electronic Discovery Reference Model (EDRM).

Our platform can assist you in determining the optimal combination between in-house and outsourced resources for your eDiscovery process and can guide you at each point.

If you use the Electronic Discovery Reference Model (EDRM) or a comparable model, our system can assist you in allocating internal and external resources by combining the desired process with an appropriate technological solution. Get in touch on +44 (0)1273 041140 to request a demo.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27009

  • 8

    ISO 27010

  • 9

    ISO 27014

  • 11

    ISO 27013

  • 12

    ISO 27016

  • 13

    ISO 27017

  • 14

    ISO 27018

  • 15

    ISO 27019

  • 16

    ISO 27038

  • 17

    ISO 27039

  • 18

    ISO 27040

  • 19

    ISO 27050

  • 20

    ISO 27102