Organization must create processes that identify, collect and store relevant evidence information related to information security incidents. The evidence may need to have been collected in a way that can be accepted in relevant courts or other similar disciplinary bodies.
Regarding the evidence material, it should be possible to demonstrate e.g.:
Certification or other assurances of the competency of related personnel and tools may additionally be considered to establish more evidentiary value.
Our organization has defined the actions to be taken in the event of a breach of confidentiality. These may include e.g. the following steps: