Comprehensive and Detailed 250–300 Words Explanation From Exact Extract from Chief Information Security Officer (CCISO) Documents:
The EC-Council CCISO Body of Knowledge clearly identifies preservation of evidence as the most critical action when criminal activity is suspected during an incident investigation. CCISO incident response guidance emphasizes that when illegality is possible—even if not yet confirmed—the organization must assume that evidence may be required for legal, regulatory, or law enforcement proceedings.
Preserving evidence ensures the integrity, admissibility, and credibility of digital artifacts such as logs, memory captures, disk images, and network traffic. CCISO materials stress that premature eradication, system restoration, or investigative actions can unintentionally destroy or alter evidence, undermining legal action and exposing the organization to liability.
While executive communication is important, CCISO guidance clearly prioritizes chain of custody and forensic soundness over status reporting. Determining the attack source and eradicating malware are subsequent steps that should occur only after evidence is preserved.
The CCISO framework also highlights that CISOs must coordinate with legal counsel when criminal activity is suspected, and this coordination depends on preserved evidence. Therefore, preservation of evidence is the foundational action that enables all other response activities.
In summary, CCISO doctrine confirms that preserving evidence is the most critical action during early incident response when criminal activity is suspected.
Submit