Cyber Incident Legal Hold for GDPR, NIS2 and DORA
At 4:17 AM, Maria, the CISO of a fintech SaaS provider, received the call every security leader prepares for and still hopes never comes. Critical production servers were unresponsive. Files were encrypted. A ransom note was open on a junior administrator’s screen.
By 4:28, the incident response team wanted to isolate affected systems and redeploy clean infrastructure. By 4:41, engineering asked whether they could rotate credentials, purge temporary files and rebuild containers. By 5:03, the DPO warned that the compromised environment contained customer identifiers and transaction metadata. By 5:16, legal counsel joined the crisis bridge with one instruction: “Do not destroy potential evidence. We may need a legal hold.” By 5:30, the COO asked whether DORA reporting obligations were triggered. By 6:00, Maria remembered the NIS2 clock, an early warning may be due within 24 hours, a fuller notification within 72 hours, and a final report within a month.
Then came the question that decides whether a cyber incident becomes defensible or chaotic:
“Do we still have the logs?”
This is the post-incident governance problem many response plans underplay. It is not enough to detect, contain and recover. In 2026, organizations must also prove what happened, preserve relevant evidence, avoid corrupting forensic artefacts, respect GDPR data minimization, support NIS2 supervision and maintain DORA ICT risk records that can withstand audit, litigation and regulatory review.
Cyber incident legal hold and evidence retention sit at the collision point of security operations, privacy, legal, compliance, cloud engineering, supplier management and audit. If the process is improvised during a breach, the organization can lose the evidence needed for root cause analysis, regulator reporting, insurance claims, litigation defence, employee discipline and customer assurance. If it is overdone, the organization may retain excessive personal data and create a second compliance problem.
Clarysec’s approach is to make legal hold a controlled ISMS process, not a panic reaction. The model connects ISO/IEC 27001:2022 governance, ISO/IEC 27002:2022 evidence and logging controls, GDPR accountability, NIS2 incident reporting and DORA ICT risk evidence into one operating system. That system tells teams what to preserve, who can authorize preservation, how long evidence stays under hold, who may access it and when deletion can resume.
The first 24 hours decide whether the evidence survives
In many real incidents, evidence is not destroyed by attackers. It is destroyed by normal operations.
A cloud log retention period expires. A container is redeployed. An endpoint is reimaged before memory is captured. A SaaS administrator exports a CSV for investigation, then edits the file. A well-meaning engineer deletes malicious scripts before taking a forensic copy. A data warehouse retention job removes the records needed to determine which customers were affected.
The organization may still recover operationally, but it loses proof. That distinction matters.
Under GDPR, a controller must be able to demonstrate compliance with the data protection principles, including integrity and confidentiality, purpose limitation, data minimization and storage limitation. If a personal data breach is likely to result in a risk to individuals, Article 33 may require notification to the supervisory authority without undue delay and, where feasible, within 72 hours of awareness. If the breach is likely to result in a high risk to individuals, Article 34 may require communication to affected data subjects.
Under NIS2, essential and important entities must manage significant incidents through staged reporting and supervision. Under DORA, financial entities must record ICT-related incidents, classify major incidents, report them, perform root cause analysis and preserve evidence across ICT assets, business functions and third-party dependencies.
ISO/IEC 27001:2022 gives the management system structure for this. Clause 4.2 requires an organization to determine the needs and expectations of interested parties, including legal, regulatory and contractual requirements relevant to information security. Clause 4.3 requires the ISMS scope to consider interfaces and dependencies, which is critical when evidence sits inside a cloud provider, managed security provider, payment platform or outsourced helpdesk. Clause 6.1 links these obligations to information security risks and treatment. Clause 7.5 requires controlled documented information. Clause 8 requires operational planning and control.
Clarysec’s Zenith Blueprint: An Auditor’s 30-Step Roadmap explains why this must be designed before the incident, not during it. In the Controls in Action phase, Step 23, the guidance for ISO/IEC 27002:2022 control 5.28 states:
“When an information security incident occurs, one of the most critical, yet often overlooked, elements of response is evidence. Not logs, not screenshots, not loose narratives, but properly preserved, chain-of-custody-respecting, tamper-resistant evidence.”
The same Step 23 adds that “what you can prove matters just as much as what actually happened.” That sentence is the difference between incident response and defensible incident response. A regulator, customer auditor, court, insurer or supervisory authority will not accept a verbal reconstruction if the organization cannot show preserved logs, reliable timestamps, controlled records and a documented chain of custody.
Legal hold is not “keep everything forever”
A cyber incident legal hold is a formal suspension of normal deletion or disposal for defined records, logs, backups, images, communications and other evidence that may be relevant to an investigation, litigation, regulatory inquiry, audit or contractual dispute.
The most common failure is treating legal hold as a blanket instruction: “Do not delete anything.” That creates privacy, cost and operational risk. GDPR does not disappear during a cyber incident. Personal data must still be processed lawfully, fairly and transparently, for specified purposes, limited to what is necessary and retained only as long as necessary. Article 5(2) adds accountability, meaning the organization must be able to demonstrate those decisions.
This is where Clarysec’s policy library becomes practical. The SME Data Retention Policy and Secure Disposal Policy-sme states:
“Legal Hold and Deletion Suspension overrides standard retention requirements and prevents data deletion.”
For larger organizations, the Enterprise Data Retention and Disposal Policy, Clause 6.4.1, says:
“If a legal hold and deletion suspension is issued (e.g., pending litigation, investigation, or audit), data otherwise subject to destruction must be preserved beyond its normal retention period.”
The same Enterprise policy requires the hold to be:
“Documented and approved by Legal Counsel and the Data Protection Officer (DPO)”
That approval model is not bureaucracy. It is the balancing mechanism between evidentiary preservation and privacy restraint. Legal counsel confirms the litigation, investigation or regulatory basis. The DPO confirms that the scope, purpose, personal data categories, access controls and retention extension remain proportionate.
For SMEs without a full legal department or DPO function, the same decision logic can be performed by a vCISO, privacy owner, managing director and external counsel, as long as the authorization is documented, time-bounded and reviewed.
The compliance tension every CISO must resolve
After a serious incident, different stakeholders ask for different evidence. Legal wants preservation. Privacy wants minimization. Regulators want facts. Operations wants restoration. Customers want assurance. Auditors want objective evidence.
| Regulation or need | Key demand on evidence | Retention implication |
|---|---|---|
| NIS2 | Prove impact, severity and suspected cause for staged incident reporting | Preserve alerts, indicators of compromise, service impact data, operational disruption records and decision logs |
| DORA | Support incident classification, reporting, client impact analysis and root cause review | Retain technical artefacts, ICT asset evidence, management briefings, supplier communications and remediation records |
| GDPR | Demonstrate purpose limitation, data minimization, storage limitation and security of processing | Justify personal data retention, restrict access and delete or anonymize evidence when the hold is released |
| Litigation | Present defensible, untampered evidence with a clear chain of custody | Freeze relevant data under a formal hold and maintain acquisition, access and transfer records |
| Customer contracts | Prove notification, service impact, remediation and cooperation obligations | Preserve customer communications, SLA analysis, incident reports and contractual response records |
Trying to manage these demands through separate privacy, legal, SOC and audit workflows is a recipe for contradiction. A unified ISO/IEC 27001:2022 ISMS makes them part of one risk, control and evidence process.
The control stack for defensible evidence retention
Cyber incident legal hold is not one ISO/IEC 27002:2022 control. It is a control relationship.
Clarysec’s Zenith Controls: The Cross-Compliance Guide maps ISO/IEC 27002:2022 control 5.28, Collection of evidence, as a corrective control supporting confidentiality, integrity and availability. It sits within Detect and Respond cybersecurity concepts and the information security event management operational capability.
The same Zenith Controls guide connects 5.28 to response to information security incidents, logging and monitoring, records protection and event reporting. The logic is practical: incident responders need logs and artefacts before remediation changes the scene, regulatory reporters need reliable facts, and investigators need evidence that has not been altered.
ISO/IEC 27002:2022 control 5.33, Protection of records, is equally important. It supports legal and compliance requirements, asset management and information protection. It ties records protection to classification, backups, secure disposal, legal and contractual requirements, access control and incident response. In practice, a legal hold must not only capture evidence. It must protect the integrity, confidentiality and availability of the evidence record itself.
For logging, ISO/IEC 27002:2022 control 8.15, Logging, is the foundation. It connects to 8.16, Monitoring activities, and 8.17, Clock synchronization. If logs are incomplete, editable by administrators, not time synchronized or retained for too short a period, the evidence process may fail before the investigation starts.
| Evidence need | ISO/IEC 27002:2022 control relationship | Why it matters after a breach |
|---|---|---|
| Preserve artefacts before remediation | 5.28 Collection of evidence tied to 5.26 Response to information security incidents | Prevents responders from destroying proof while containing the incident |
| Protect investigation records | 5.33 Protection of records tied to 5.31 Legal, statutory, regulatory and contractual requirements and 5.15 Access control | Ensures evidence files, reports and approvals remain intact and restricted |
| Maintain reliable logs | 8.15 Logging tied to 8.16 Monitoring activities and 8.17 Clock synchronization | Supports event timelines, attribution, impact analysis and regulatory reporting |
| Balance privacy | 5.34 Privacy and protection of PII tied to logging and records protection | Prevents excessive retention or uncontrolled disclosure of personal data |
| Recover evidence availability | 8.13 Information backup tied to records protection | Helps restore records and logs if systems are corrupted, encrypted or deleted |
| Improve after the incident | 5.27 Learning from information security incidents tied to corrective action | Converts lessons learned into risk treatment, control improvement and audit evidence |
The Zenith Blueprint, Controls in Action phase, Step 19, reinforces this with practical language on logging:
“Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed.”
It also warns that log protection includes restricting access and using mechanisms such as hashing or write-once storage to prevent tampering. Step 19 connects clock synchronization to forensic coherence, explaining that synchronized clocks allow logs from different systems to align for investigation.
GDPR accountability: preserve what you need, justify what you keep
GDPR creates the most visible tension in incident evidence retention. Security teams often want more data. Privacy teams want less. A defensible legal hold reconciles both.
Logs and artefacts may contain IP addresses, user IDs, email addresses, device identifiers, authentication records, support ticket text, screenshots, customer exports or special category data. Evidence preservation is therefore processing. The legal hold notice should document the lawful basis, purpose, scope, access restrictions, retention review date and disposal trigger.
Clarysec’s SME Data Protection and Privacy Policy-sme states:
“Only the minimum personal data necessary must be collected and retained”
The Enterprise Evidence Collection and Forensics Policy explicitly anchors forensic evidence handling to:
“GDPR Article 5, including purpose limitation and data minimization”
That is the operating principle. Do not preserve an entire production database if the relevant evidence is a narrow audit trail, access log, query record and affected user list. Do not give every responder access to raw evidence if pseudonymized extracts or role-based access will do. Do not keep incident artefacts indefinitely after the legal, regulatory and audit need has expired.
A good GDPR-aware legal hold record answers seven questions:
- What incident or investigation triggered the hold?
- What categories of personal data may be included?
- Why is each evidence category necessary?
- Who approved the hold and when?
- Who can access the evidence?
- When will the hold be reviewed?
- What deletion or secure disposal process resumes when the hold is released?
This is how evidence retention avoids becoming privacy over-retention.
NIS2: legal hold for staged incident reporting
For organizations in scope, NIS2 changes the evidence expectation from “useful internally” to “needed for supervision.”
NIS2 applies to many essential and important entities in the EU, including digital infrastructure providers, cloud computing service providers, data centre service providers, content delivery networks, trust service providers, electronic communications providers, managed service providers, managed security service providers and certain digital providers such as online marketplaces, online search engines and social networking platforms.
Article 21 requires appropriate and proportionate technical, operational and organizational measures, including risk analysis, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, training, cryptography, human resources security, access control, asset management and authentication. Article 20 makes management bodies responsible for approving and overseeing these measures.
For legal hold, the key NIS2 issue is Article 23. Significant incidents require staged reporting: early warning within 24 hours of becoming aware, incident notification within 72 hours, intermediate reports upon request and a final report not later than one month after the 72-hour notification. The final report needs a description, severity, impact, likely threat type or root cause, mitigation measures and cross-border impact where applicable.
| NIS2 reporting stage | Evidence needed | Legal hold action |
|---|---|---|
| 24-hour early warning | Initial detection time, suspected malicious activity, affected service and possible cross-border impact | Freeze SOC alerts, incident ticket, identity logs and cloud audit trails |
| 72-hour notification | Severity, impact, indicators of compromise, operational disruption and financial loss indicators | Preserve forensic exports, affected asset inventory, IOCs, business impact notes and communication records |
| Intermediate reports | Current status, containment progress and authority questions | Maintain a versioned investigation record and response decision log |
| Final report | Root cause, incident description, severity, impact, mitigation and cross-border effect | Preserve root cause evidence, remediation evidence, lessons learned and approval trail |
If the incident affects personal data, NIS2 competent authorities may cooperate with GDPR supervisory authorities. That increases the need for one evidence narrative that supports both cybersecurity supervision and privacy accountability.
DORA: ICT risk evidence goes beyond security logs
For financial entities, DORA is the sector-specific operational resilience regime. It applies from 17 January 2025 and covers ICT risk management, major ICT incident reporting, resilience testing, information sharing and ICT third-party risk management. For financial entities that are also essential or important under NIS2, DORA generally functions as the sector-specific Union legal act for ICT risk and incident reporting.
DORA is evidence-heavy by design. Article 17 requires an ICT-related incident management process. Article 18 addresses classification of ICT-related incidents and cyber threats. Article 19 covers reporting of major ICT-related incidents. Financial entities must also maintain governance and control arrangements, identify critical or important functions, document ICT assets and dependencies, and perform root cause analysis.
That means DORA legal hold must cover operational resilience evidence, not only security artefacts. After a cloud identity compromise affecting payment operations, the hold may include identity provider logs, privileged access history, cloud audit logs, SIEM alerts, endpoint images, customer transaction impact analysis, business continuity activation records, backup and recovery evidence, supplier communications, management body briefings, root cause analysis and remediation validation.
DORA also makes ICT third-party evidence unavoidable. Articles 28 to 30 require ICT third-party risk management, registers of contractual arrangements, due diligence, concentration risk assessment and written contracts with rights and obligations. For critical or important functions, contracts should support provider notice and reporting obligations, incident assistance, cooperation with authorities, access, inspection and audit rights, and exit strategies.
If your cloud provider, MSP, MSSP, payment processor or SaaS dependency holds the relevant logs, your legal hold process must already be embedded in supplier contracts. Otherwise, you may discover during a major incident that your provider’s standard retention window is shorter than your regulatory reporting lifecycle.
How Clarysec operationalizes legal hold during a SaaS breach
Consider Maria’s fintech SaaS environment. The incident may involve unauthorized access to customer identifiers, transaction metadata, administrator systems and outsourced SOC records. The company serves EU financial institutions, relies on cloud infrastructure and may face GDPR, DORA contractual obligations and NIS2 duties.
The first action is not to preserve everything. The first action is to trigger a controlled decision.
The incident commander sends a legal hold request to legal counsel, DPO or privacy lead, CISO and business owner. The request includes incident ID, date and time, affected systems, suspected data categories, initial regulatory pathways, proposed evidence categories and immediate deletion risks.
Using the Enterprise Data Retention and Disposal Policy, the hold is documented and approved by Legal Counsel and the DPO. For SMEs, the Data Retention Policy and Secure Disposal Policy-sme provides the deletion suspension rule. The authorization includes a review date aligned to investigation milestones, regulatory reporting deadlines and expected litigation or contractual dispute risk. It does not say “forever.” It says “until released by authorized decision after review.”
Next, the team freezes relevant logs and artefacts. The SME Logging and Monitoring Policy-sme states:
“Logs must be placed under legal hold and deletion suspension and protected against alteration or deletion”
The team suspends deletion for SIEM cases, identity logs, cloud audit logs, application logs, database query logs, WAF events and SOC alert metadata. Exported logs are stored in restricted evidence storage with hashing, version control and read-only permissions where appropriate.
The collection rule is simple: preserve evidence without editing originals. The SME Evidence Collection and Forensics Policy-sme states:
“A forensic copy or export must always be created; the original evidence must never be edited directly.”
Engineers can remediate, but only after required snapshots, exports or forensic copies are made, unless immediate containment is necessary to prevent ongoing harm. If emergency remediation occurs first, the reason is documented.
The same SME policy says:
“A simple chain-of-custody log (e.g., Excel file or template document) must be maintained for each incident.”
For enterprise environments, the Evidence Collection and Forensics Policy, Clause 5.6, requires:
“A chain-of-custody log shall accompany all physical or digital evidence from the time of acquisition through archival or transfer and shall document:”
In practice, the chain-of-custody log records evidence ID, description, source system, collector, acquisition method, hash value where applicable, time source, storage location, access events, transfers, analysis copies and final disposition.
Finally, the investigation record itself must be protected. The Enterprise Audit and Compliance Monitoring Policy states:
“All audit logs, findings, and remediation reports shall be retained, encrypted, and protected against tampering.”
That requirement applies to the incident timeline, decision log, legal hold notice, regulator communications, customer communications, root cause analysis and remediation evidence.
The documented information auditors will inspect
ISO/IEC 27001:2022 Clause 7.5 requires documented information needed by the ISMS and required by the standard to be controlled. The Zenith Blueprint, ISMS Foundation and Leadership phase, Step 6, translates this into practical requirements: documents should have identification, format, review, approval, version control, controlled access, integrity protection, change control, retention and disposition.
Step 6 also notes that records such as monitoring logs, audit reports and incident investigation files may be confidential and should be shared on a need-to-know basis, with editing rights limited to authorized users.
A defensible evidence pack should include:
- Legal hold notice and approval.
- Incident classification and severity decision.
- Evidence inventory.
- Chain-of-custody log.
- Log preservation confirmation.
- Forensic image or export records.
- Hash values or integrity checks where applicable.
- Access list for evidence storage.
- Regulatory reporting evidence.
- Privacy assessment and personal data impact analysis.
- Supplier evidence requests and responses.
- Root cause analysis.
- Remediation and validation evidence.
- Hold review and release decision.
The stronger the documented information control, the easier the audit.
Supplier and cloud evidence: the failure point many teams miss
The hardest evidence is often not inside your organization. It is held by a cloud provider, SaaS platform, MSSP, MSP, payment processor, identity provider or outsourced development team.
NIS2 Article 21 includes supply chain security and security aspects of relationships with direct suppliers or service providers. DORA goes further for financial entities, requiring ICT third-party registers, due diligence, concentration risk analysis and contracts with incident assistance, provider reporting, cooperation with authorities, audit rights and exit provisions for critical or important functions.
NIST Cybersecurity Framework 2.0 also treats supply chain risk as a lifecycle discipline. Its Govern Function includes supplier risk management outcomes for strategy, roles, contracts, due diligence, monitoring, incident participation and exit provisions. CSF Profiles can express target cybersecurity requirements to suppliers, which is useful when translating legal hold evidence needs into contract terms.
Supplier contracts should address:
- Security log types available to the customer.
- Default retention periods and extended retention options.
- Emergency preservation request process.
- Time to preserve evidence after customer request.
- Forensic export formats.
- Chain-of-custody support.
- Regulator cooperation.
- Subprocessor or subcontractor evidence obligations.
- Data location and transfer restrictions.
- Secure deletion after hold release.
The Zenith Blueprint, Controls in Action phase, Step 18, gives similar discipline for physical media transfer, requiring encryption, tamper-evident packaging, tracking, transport logs, media inventory and audit of the register. The same logic applies to cloud evidence transfers: preserve integrity, track custody, restrict access and confirm receipt.
How auditors and regulators will test your legal hold process
A legal hold process looks different depending on the reviewer’s mandate. Clarysec uses Zenith Controls as a cross-compliance compass so the same evidence pack can satisfy multiple lenses without duplicating work.
| Auditor lens | What the auditor will ask | Evidence Clarysec prepares |
|---|---|---|
| ISO/IEC 27001:2022 auditor | Is legal hold part of the ISMS, risk treatment, documented information and incident response process? | ISMS scope, interested-party requirements, Statement of Applicability, incident procedure, evidence policy, retention policy and controlled records |
| ISO/IEC 27002:2022 control reviewer | Are 5.28 evidence collection, 5.33 records protection and 8.15 logging implemented and connected? | Evidence inventory, chain-of-custody log, tamper protection, log retention settings, clock synchronization proof and access controls |
| GDPR auditor or DPO reviewer | Was personal data retained only where necessary and under a documented purpose and lawful basis? | Privacy assessment, data minimization rationale, access restrictions, retention review and deletion or secure disposal proof |
| NIS2 supervisory reviewer | Can the entity support 24-hour, 72-hour and final reporting with reliable facts? | Incident timeline, severity assessment, IOCs, impact evidence, cross-border analysis, management approvals and communications |
| DORA ICT risk reviewer | Are incidents recorded, classified, escalated, reported, root-caused and fed back into ICT risk management? | Incident register, classification criteria, management body reporting, root cause analysis, remediation validation and supplier evidence |
| NIST CSF 2.0 assessor | Are governance, risk, supplier, detect, respond and recover outcomes integrated into one profile? | Current and target profiles, gap plan, supplier requirements, monitoring evidence and incident lessons learned |
| COBIT 2019 or ISACA auditor | Are governance objectives, accountability, information quality, control monitoring and assurance evidence reliable? | RACI, control ownership, management review, audit trail, issue tracking, remediation closure and performance metrics |
The ISO auditor will care about conformity and objective evidence. The GDPR reviewer will care about necessity, purpose limitation and demonstrable accountability. The NIS2 reviewer will care about significant incident reporting facts and management responsibility. The DORA reviewer will care about ICT risk governance, major incident handling, third-party dependencies and lessons learned. The COBIT 2019 or ISACA-style auditor will care about governance, control design, control operation and assurance over information quality.
One evidence pack can serve all of them, if it is designed that way.
A practical cyber incident legal hold checklist for 2026
Use this checklist before the next serious incident, not during it.
| Control question | Expected answer |
|---|---|
| Who can issue a cyber incident legal hold? | Legal counsel and DPO or privacy owner approve, with CISO and incident commander initiating |
| What triggers a hold? | Suspected serious security incident, personal data breach, regulatory reporting possibility, litigation risk, law enforcement request, customer audit or contractual dispute |
| What evidence is in scope? | Logs, alerts, forensic images, snapshots, tickets, communications, impact analysis, supplier records, management decisions and remediation evidence |
| How is evidence protected? | Restricted access, encryption, tamper protection, hashing where appropriate, immutable or read-only storage and monitored access |
| How is chain of custody maintained? | Evidence register records acquisition, collector, time, method, storage, transfer, access and disposition |
| How is GDPR minimization handled? | Scope is limited to necessary evidence, personal data access is restricted, review dates are set and deletion resumes after release |
| How are suppliers included? | Contracts require evidence preservation, incident assistance, audit cooperation and retention extension on request |
| How is release handled? | Authorized review determines whether to continue, narrow or release the hold and resume secure disposal |
This checklist becomes more powerful when embedded into the ISMS risk treatment plan, supplier security requirements, incident response runbooks, logging architecture and privacy governance.
From post-breach panic to audit-ready resilience
The 4 AM call will always be stressful. It does not have to become chaos.
A mature cyber incident legal hold process gives every stakeholder a controlled path. Legal gets defensible preservation. Privacy gets minimization and review. The CISO gets evidence integrity. The DPO gets accountability. The board gets reliable facts. NIS2, DORA and GDPR reviewers get objective evidence instead of improvised explanations.
Clarysec’s 30-step methodology does not treat legal hold as a standalone legal memo. It treats it as an ISMS operating capability.
In Zenith Blueprint, Step 6 builds the documented information library, including retention and disposition rules. Step 19 strengthens logging and clock synchronization so investigations can reconstruct timelines. Step 23 operationalizes evidence collection and chain of custody. Step 18 adds media handling discipline where evidence moves physically or between parties.
In Zenith Controls, Clarysec connects the underlying ISO/IEC 27002:2022 controls so clients can see how evidence collection depends on logging, monitoring, incident response, records protection, access control, backups, privacy and legal requirements.
In the Clarysec policy library, the practical workflow anchors are already defined: Data Retention and Disposal Policy, Data Retention Policy and Secure Disposal Policy-sme, Evidence Collection and Forensics Policy, Evidence Collection and Forensics Policy-sme, Logging and Monitoring Policy-sme, Data Protection and Privacy Policy-sme and Audit and Compliance Monitoring Policy.
If your incident response plan says “preserve evidence” but does not define legal hold authority, evidence scope, retention suspension, chain of custody, supplier preservation, GDPR minimization and release criteria, it is not yet audit-ready.
Build the process before the breach. Clarysec can help you create a defensible cyber incident legal hold and evidence retention capability using Zenith Blueprint: An Auditor’s 30-Step Roadmap, Zenith Controls: The Cross-Compliance Guide and Clarysec policy templates including the Data Retention and Disposal Policy, Evidence Collection and Forensics Policy, Audit and Compliance Monitoring Policy, Logging and Monitoring Policy-sme - SME, Data Protection and Privacy Policy-sme - SME and Evidence Collection and Forensics Policy-sme - SME.
Download the toolkits, request a Clarysec policy review or book an evidence retention readiness assessment before your next audit, supervisory request or major customer security review.
Frequently Asked Questions
About the Author
Igor Petreski
Compliance Systems Architect, Clarysec LLC
Igor Petreski is a cybersecurity leader with over 30 years of experience in information technology and a dedicated decade specializing in global Governance, Risk, and Compliance (GRC).Core Credentials & Qualifications:• MSc in Cyber Security from Royal Holloway, University of London• PECB-Certified ISO/IEC 27001 Lead Auditor & Trainer• Certified Information Systems Auditor (CISA) from ISACA• Certified Information Security Manager (CISM) from ISACA • Certified Ethical Hacker from EC-Council
