Table of contents

Forensic Principles


The Forensic Readiness Policy states the Ministry of Justice (MoJ) requirements on the need for IT forensics. Each MoJ IT system or IT domain shall have, or be explicitly covered by, a Forensic Readiness Plan. The policy also outlines four principles which must be followed. For reference, these are:

  • Preservation of Evidence - the forensic investigation process shall preserve the integrity of original evidence by providing sufficient security, legal advice and procedural measures to ensure that evidential requirements are met. Any processes applied to copies of evidence must be repeatable and achieve the same results.
  • Aptitude for task - any task in a forensic investigation shall be conducted by a person assessed to be suitably trained and competent to carry out that task.
  • Documented Methodology – all investigations shall follow the documented methodology outlined in the forensic readiness plan, with an audit trail of all processes applied to evidence. A chain of evidence shall be created and preserved demonstrating where evidence has been stored and whose care the evidence has been in from point of capture until presentation.
  • Conformance - investigations shall be conducted in a manner which respects MoJ policies and assumes full cooperation from all internal and external staff members.

People and resources

The MoJ Security team is responsible for the IT Security Incident Management Process and charged with responding to all IT security incidents. The team can be contacted by email:

The MoJ intends to use a mix of internal and external resources to ensure that its forensic investigation capability can quickly and efficiently react to potentially incidents thereby minimising disruption to business.

Note: The Forensic Readiness Policy states that each forensic investigation must have a named Forensic Investigation Owner.

Incident management and forensic investigation process

The IT Incident Management Policy sets out the MoJ requirement for incident management where forensics investigation form part of the incident management process. As such, the forensic incident management process is an extension of the overall incident management process.

Contact details

For any further questions or advice relating to security, contact:


If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: