Home/BoK/Templates/Evidence Preservation Checklist
Back to Hub
Last Reviewed: 2026-06-25
Reviewer Role: Insider Risk / Legal / Privacy review
Advanced Asset
Investigation ModuleInteractive Sheet

Evidence Preservation Checklist

An evidence preservation checklist helps teams identify, preserve, and protect potentially relevant evidence before it is altered, deleted, overwritten, or accessed inappropriately.

Primary Audience & Scope

Investigators, IT, Security, Legal, HR

When to Use

  • Triage, investigation, preservation, containment, or legal review is required.
  • A consistent record is needed across teams.
  • A matter may require later review, audit, or legal defensibility.

Interactive Work Area

Fill or track items interactively and copy out to your Clipboard

Template Table Structure

FieldWorking prompt
Case/resource field 1Use this field to document: Identify preservation trigger.
Case/resource field 2Use this field to document: Confirm preservation authority and scope.
Case/resource field 3Use this field to document: List custodians and systems.
Case/resource field 4Use this field to document: Preserve email, chat, collaboration, file, endpoint, cloud, IAM, PAM, DLP, SIEM, repository, badge, CCTV, HR, and physical evidence as applicable.
Case/resource field 5Use this field to document: Record time period covered.
Case/resource field 6Use this field to document: Restrict access to preserved material.
Case/resource field 7Use this field to document: Calculate and record hashes for digital evidence when appropriate.
Case/resource field 8Use this field to document: Start chain-of-custody log.

Checklist Audit List

0% Done(0/10)
Check
Checklist item

Identify preservation trigger.

Evidence: Owner / date / evidence

Confirm preservation authority and scope.

Evidence: Owner / date / evidence

List custodians and systems.

Evidence: Owner / date / evidence

Preserve email, chat, collaboration, file, endpoint, cloud, IAM, PAM, DLP, SIEM, repository, badge, CCTV, HR, and physical evidence as applicable.

Evidence: Owner / date / evidence

Record time period covered.

Evidence: Owner / date / evidence

Restrict access to preserved material.

Evidence: Owner / date / evidence

Calculate and record hashes for digital evidence when appropriate.

Evidence: Owner / date / evidence

Start chain-of-custody log.

Evidence: Owner / date / evidence

Coordinate with legal hold if needed.

Evidence: Owner / date / evidence

Document collection method and location.

Evidence: Owner / date / evidence

What Completion Looks Like

  • 1Decision documented.
  • 2Owner assigned.
  • 3Evidence and actions recorded.
  • 4Scope and authority preserved.
  • 5Follow-up action created where needed.

Insider Risk Capability Framework™ (IRCF™) Alignment

Programmatic RelevanceSupports consistent, defensible handling of insider risk matters.
Non-legal-advice Compliance NoteThis resource is a planning aid and does not provide legal advice. Organizations should adapt it to their policies, jurisdictions, labor obligations, privacy requirements, contracts, and risk appetite. Sensitive monitoring, investigation, employment, evidence, legal hold, and employee-data activities should be reviewed by appropriate Legal, Privacy, HR, Compliance, and labor stakeholders before use.

Operationalize This Template in RiskTKO®

Use RiskTKO® or request ITMG® support to adapt this template, align it to the Insider Risk Capability Framework™, and connect the output to measurable exposure reduction. Chain of Custody Log Template