On this page

Insider Threat Investigation

Insider threat investigations examine whether a trusted individual has misused their access to harm the organisation, its beneficiaries, or its mission. These investigations differ fundamentally from external threat response: the subject has legitimate access, the organisation has employment obligations, and the consequences extend beyond technical remediation into employment law, regulatory compliance, and duty of care. Mishandling an investigation can expose the organisation to constructive dismissal claims, data protection violations, and reputational damage regardless of whether the suspicion proves founded.

This playbook establishes procedures that protect the organisation’s interests while respecting employee rights. The core tension throughout is between thoroughness of investigation and preservation of employment relationships. A covert investigation that becomes public destroys trust even when it exonerates the subject. An overt investigation that proves unfounded damages the accused’s standing and may constitute harassment. The procedures here navigate between these risks through governance structures, documentation requirements, and decision criteria that make the investigation defensible whatever its outcome.

Legal coordination required

Do not begin any investigation activity without explicit authorisation from HR leadership and, where available, legal counsel. Actions taken without proper authorisation may be inadmissible as evidence, violate employment law, or expose the organisation to liability regardless of investigation findings.

Activation criteria

Insider threat investigations begin when specific indicators suggest intentional misuse of access rather than accidental policy violations or normal behavioural variation. The distinction matters: routine policy violations follow standard HR processes, while insider threat investigations invoke enhanced monitoring and evidence preservation that require formal authorisation.

Indicator category	Specific triggers	Threshold for activation
Data exfiltration patterns	Large file downloads, USB activity, cloud upload to personal accounts, email forwarding to external addresses	Single event exceeding 500MB or cumulative pattern over 5GB in 30 days to unauthorised destinations
Access anomalies	Access to systems outside job function, after-hours access to sensitive data, access during notice period	3+ anomalous access events within 7 days, or any access to protection/safeguarding data without legitimate purpose
Policy violations with intent indicators	Disabling security controls, attempting to bypass DLP, accessing terminated colleague’s data	Any deliberate circumvention of security controls
HR referral	Misconduct investigation, whistleblower report, manager concern	Formal referral from HR with documented basis
External notification	Law enforcement inquiry, partner organisation report, regulatory body notification	Any credible external notification regarding employee conduct
Financial indicators	Unexplained lifestyle changes, financial pressure reported to HR, expenses anomalies	Correlation with access to financial systems or sensitive data

The threshold for activation must be high enough to prevent routine monitoring from becoming invasive but low enough to catch genuine threats before significant harm occurs. When indicators fall below activation thresholds but remain concerning, document them in a preliminary assessment file and schedule review in 30 days. If indicators persist or escalate, activate the full investigation.

Governance structure

Insider threat investigations require coordination across multiple organisational functions, each with distinct responsibilities and authorities. No single function should control all aspects of an investigation, and the governance structure exists to provide checks on investigative overreach while ensuring thorough examination of credible threats.

+------------------------------------------------------------------+
|                    INVESTIGATION GOVERNANCE                      |
+------------------------------------------------------------------+
|                                                                  |
|  +------------------------+                                      |
|  |  Investigation         |                                      |
|  |  Sponsor               |  Authorises investigation            |
|  |  (Executive/Director)  |  Approves investigation scope        |
|  +----------+-------------+  Makes termination decisions         |
|             |                                                    |
|             v                                                    |
|  +----------+-------------+                                      |
|  |  HR Lead               |  Employment law compliance           |
|  |                        |  Disciplinary process                |
|  |                        |  Interview coordination              |
|  +----------+-------------+  Subject welfare                     |
|             |                                                    |
|    +--------+--------+                                           |
|    |                 |                                           |
|    v                 v                                           |
|  +-+-------+    +----+------+                                    |
|  | Legal   |    | IT        |  Evidence collection               |
|  | Counsel |    | Security  |  Technical analysis                |
|  | (if     |    | Lead      |  Access monitoring                 |
|  | avail.) |    |           |  System preservation               |
|  +---------+    +-----+-----+                                    |
|                       |                                          |
|                       v                                          |
|               +-------+-------+                                  |
|               |  External     |  Digital forensics               |
|               |  Specialists  |  Legal testimony                 |
|               |  (if needed)  |  Chain of custody                |
|               +---------------+                                  |
|                                                                  |
+------------------------------------------------------------------+

Figure 1: Investigation governance structure showing authorisation flow and functional responsibilities

The investigation sponsor holds ultimate accountability for the investigation and must be senior enough to make termination decisions if warranted. In organisations without legal counsel, the sponsor also bears responsibility for ensuring employment law compliance, which may require engaging external legal advice for complex cases.

The HR lead serves as the primary guardian of employment rights throughout the investigation. HR must be involved from the outset: no monitoring, evidence collection, or subject contact occurs without HR coordination. This requirement is not administrative but substantive. Employment tribunals routinely find against organisations that conduct investigations without proper HR oversight, regardless of what the investigation reveals.

The IT security lead manages technical investigation activities: evidence collection, log analysis, access monitoring, and system preservation. IT security acts under direction from the investigation sponsor and in coordination with HR, never independently. The technical capability to monitor does not constitute authorisation to monitor.

Legal counsel provides guidance on admissibility of evidence, employment law compliance, and regulatory obligations. Organisations without in-house legal should establish a relationship with external employment law specialists before an investigation becomes necessary. Attempting to engage legal advice mid-investigation creates delays and may compromise evidence already collected.

External specialists become necessary when the investigation may result in litigation, when law enforcement involvement is likely, or when the organisation lacks forensic capabilities. The decision to engage external specialists should be made early: their evidence collection standards exceed internal capabilities, and evidence collected internally may not meet their chain of custody requirements.

Roles

Role	Responsibility	Assignment criteria	Backup requirement
Investigation sponsor	Authorise investigation, approve scope changes, make employment decisions	Executive or director level with authority over subject’s employment	Deputy executive or board member
HR lead	Employment law compliance, disciplinary coordination, subject welfare, interview facilitation	HR manager or director with employment law training	External HR consultant
IT security lead	Evidence collection, technical analysis, access monitoring, system preservation	IT security or IT manager with forensic awareness	External forensic provider
Legal advisor	Legal guidance, admissibility assessment, regulatory compliance	In-house counsel or external employment lawyer	Alternative external firm
Investigation coordinator	Documentation, timeline management, communication coordination	HR or compliance staff not in subject’s reporting line	Alternative HR staff
Witness coordinator	Witness identification, interview scheduling, statement collection	HR staff independent of investigation coordinator	External HR consultant

The subject’s direct manager should not hold any investigation role. Manager involvement creates conflicts of interest and may compromise the manager’s ability to maintain a working relationship if the investigation concludes without action. Inform the manager only that HR is handling a confidential matter and that they should direct any related queries to HR.

Phase 1: Preliminary assessment

Objective: Determine whether activation criteria are met and establish investigation scope Timeframe: 24-48 hours Authority level: HR lead can initiate; sponsor approval required to proceed to Phase 2

Review the triggering information and assess against activation criteria. Document the specific indicators, their sources, and how they meet or approach activation thresholds. If indicators do not meet thresholds, document your assessment and close the preliminary assessment with a 30-day review date.
Identify the subject and their organisational position. Determine reporting relationships, access levels, systems used, and any relevant HR history. Do not access the subject’s personnel file without HR lead authorisation, as such access may be logged and discoverable.
Assess the potential scope of harm. Consider what data or systems the subject can access, what damage they could cause, and whether any harm may have already occurred. This assessment informs the urgency of subsequent phases.
Determine the investigation category:
Category A (Low complexity): Single policy violation, limited access scope, no data breach indicators, no litigation risk. Handle through standard HR disciplinary process with IT security support.
Category B (Standard investigation): Multiple indicators, broader access scope, potential data exposure, possible termination outcome. Proceed with this playbook.
Category C (High complexity): Criminal conduct suspected, regulatory notification likely, litigation expected, senior staff involved. Engage legal counsel and consider external forensic specialists before proceeding.
Brief the investigation sponsor on findings and recommended category. Obtain written authorisation to proceed if Category B or C. The authorisation should specify the approved investigation scope, monitoring authorities, and any restrictions.

Checkpoint: Proceed to Phase 2 only with written sponsor authorisation specifying investigation scope and approved activities.

Phase 2: Covert investigation

Objective: Gather evidence without alerting the subject Timeframe: 1-4 weeks depending on complexity Authority level: Sponsor-approved scope; any scope expansion requires additional authorisation

The decision to investigate covertly rather than overtly depends on several factors that the investigation team must weigh before proceeding.

+------------------------------------------------------------------+
|            COVERT VS OVERT INVESTIGATION DECISION                |
+------------------------------------------------------------------+
|                                                                  |
|                    +------------------+                          |
|                    | Investigation    |                          |
|                    | authorised       |                          |
|                    +--------+---------+                          |
|                             |                                    |
|                             v                                    |
|                    +--------+---------+                          |
|                    | Ongoing harm     |                          |
|                    | suspected?       |                          |
|                    +--------+---------+                          |
|                             |                                    |
|              +--------------+--------------+                     |
|              |                             |                     |
|              v                             v                     |
|         +----+----+                   +----+----+                |
|         | Yes     |                   | No      |                |
|         +---------+                   +---------+                |
|              |                             |                     |
|              v                             v                     |
|    +---------+---------+         +---------+---------+           |
|    | Evidence          |         | Will subject      |           |
|    | destruction       |         | likely destroy    |           |
|    | risk if alerted?  |         | evidence?         |           |
|    +---------+---------+         +---------+---------+           |
|              |                             |                     |
|     +--------+---------+         +---------+---------+           |
|     |                  |         |                   |           |
|     v                  v         v                   v           |
|  +--+---+          +---+--+   +--+---+           +---+--+        |
|  | Yes  |          | No   |   | Yes  |           | No   |        |
|  +--+---+          +---+--+   +--+---+           +---+--+        |
|     |                  |         |                   |           |
|     v                  v         v                   v           |
| +---+-----------+   +--+---------+--+          +-----+--------+  |
| | COVERT        |   | OVERT with    |          | OVERT        |  |
| | investigation |   | immediate     |          | investigation|  |
| | (this phase)  |   | access        |          | (skip to     |  |
| |               |   | restriction   |          | Phase 3)     |  |
| +---------------+   +---------------+          +--------------+  |
|                                                                  |
+------------------------------------------------------------------+

Figure 2: Decision tree for covert versus overt investigation approach

Covert investigation is appropriate when evidence destruction is likely if the subject is alerted, when ongoing harm may continue during investigation, or when the nature of suspected conduct makes direct inquiry inappropriate. Covert investigation is not appropriate merely because it is more convenient or because it avoids uncomfortable conversations.

Preserve existing evidence before any monitoring begins. Work with the IT security lead to ensure current logs, access records, and relevant data are preserved in a manner that maintains chain of custody. See Evidence Collection for detailed preservation procedures.
Define monitoring scope within authorised boundaries. Monitoring may include:
- Email metadata (sender, recipient, timestamp, size) without content review
- File access logs for sensitive systems
- Authentication logs and access patterns
- Data loss prevention alerts
- Network traffic metadata
Content monitoring (reading emails, viewing files) requires explicit authorisation and should be limited to specific systems or timeframes where there is reasonable suspicion of policy violation.
Implement monitoring using existing security infrastructure where possible. Installing new monitoring tools on the subject’s devices creates detection risk and may require disclosure under some employment frameworks. Configure existing DLP, SIEM, and access logging to generate alerts on subject activity without creating obvious new controls.
Establish a secure evidence repository accessible only to investigation team members. Store all evidence with timestamps, source identification, and collector identification. Maintain a contemporaneous log of all evidence collected and all investigative actions taken.
Analyse collected evidence systematically. Look for patterns rather than individual events: a single large file download may be legitimate work activity, but repeated downloads of HR records followed by uploads to personal cloud storage establishes a pattern of exfiltration.
Document all findings in a preliminary investigation report. Include:
- Summary of indicators that triggered investigation
- Evidence collected and analysis
- Assessment of whether policy violation occurred
- Assessment of whether harm occurred or was attempted
- Recommendation for next phase
Brief the investigation sponsor on findings. Present three possible outcomes:
Insufficient evidence: Close investigation, destroy monitoring configuration, retain documentation for 12 months.
Policy violation confirmed, no malicious intent: Transition to HR disciplinary process; proceed to Phase 3 for subject interview.
Malicious conduct confirmed or strongly suspected: Proceed to Phase 3 with access restriction; consider immediate suspension depending on ongoing risk.

Decision point: Sponsor determines whether to close investigation, proceed with overt investigation, or proceed with access restriction.

Checkpoint: Preliminary investigation report completed and reviewed by sponsor. Written decision on next steps obtained.

Monitoring boundaries

Do not access personal devices, personal email accounts, or personal cloud storage even if accessed from organisational networks. Do not install monitoring software on devices without legal review. Do not access communications between the subject and their legal counsel, union representative, or medical providers. Violations in these areas may render all investigation evidence inadmissible and expose the organisation to significant liability.

Phase 3: Overt investigation

Objective: Conduct subject interview and gather direct evidence Timeframe: 1-2 weeks Authority level: HR lead manages interview process; sponsor approves any access modifications

The transition from covert to overt investigation requires careful coordination. The subject will become aware of the investigation, and their response in the first hours shapes subsequent proceedings.

Determine whether access restriction is warranted before subject notification. Access restriction is appropriate when:
- Evidence indicates ongoing harmful activity
- Subject has access to systems that could be damaged or data that could be destroyed
- The nature of suspected conduct makes continued access inappropriate
Access restriction is not suspension. The subject remains employed and may continue working on tasks that do not require the restricted access. Restriction should be proportionate: removing access to the HR system is appropriate if HR data misuse is suspected; removing all system access when the concern is expense fraud is disproportionate.
If access restriction is warranted, implement restrictions before subject notification. Work with IT security to disable or limit access to relevant systems. Time this to occur immediately before the notification meeting, not days in advance where the subject might notice access failures and become aware of investigation.
Prepare for the subject notification meeting. The meeting should include:
- HR lead (to manage process and protect subject rights)
- Investigation coordinator (to document)
- Manager of HR lead or equivalent (as witness)
The IT security lead should not attend the initial meeting. Technical questions come later; the initial meeting establishes the investigation framework and hears the subject’s account.
Conduct the subject notification meeting:
Open by explaining that concerns have been raised about specific conduct (describe the concern in general terms without revealing evidence) and that an investigation is being conducted. Explain that the investigation is to establish facts and that no conclusions have been reached.
Advise the subject of their rights:
- Right to be accompanied by a colleague or union representative in subsequent meetings
- Right to respond to specific allegations when made
- Right to provide evidence in their defence
- Confidentiality of investigation (and limits to that confidentiality)
Ask the subject to provide their account of the relevant activities. Do not challenge their account at this stage; document their response accurately.
Inform the subject of any access restrictions and the reason for them in general terms.
Explain next steps and expected timeline.
Following the meeting, assess the subject’s account against evidence collected. Identify discrepancies and prepare specific questions for follow-up interview.
Conduct follow-up interviews as needed. In follow-up interviews, you may present specific evidence and ask the subject to explain it. Allow reasonable time for the subject to prepare a response to specific allegations.
Interview witnesses identified during investigation. Witnesses should be advised of confidentiality expectations and that their statements may be disclosed to the subject in summary form if disciplinary action results.
Compile the complete investigation report including:
- Chronology of relevant events
- Evidence collected (with chain of custody documentation)
- Subject’s account and explanation
- Witness statements
- Analysis of evidence against subject’s account
- Findings of fact
- Recommendation (no action, disciplinary action, termination, referral to law enforcement)

Decision point: Investigation sponsor reviews complete investigation report and determines outcome.

Checkpoint: Complete investigation report delivered to sponsor with clear recommendations. Subject has had opportunity to respond to all specific allegations.

Phase 4: Resolution

Objective: Implement investigation outcome Timeframe: 1-2 weeks Authority level: Sponsor makes final decision; HR implements

Investigation sponsor reviews complete report and makes determination. Possible outcomes:
No action: Evidence does not support allegations, or subject’s explanation is accepted. Proceed to Step 2a.
Informal action: Minor policy violation confirmed but does not warrant formal discipline. Issue management advice and close investigation. Proceed to Step 2b.
Formal disciplinary action: Policy violation confirmed; formal warning or sanction appropriate. Transition to HR disciplinary process. Proceed to Step 2c.
Termination: Serious misconduct confirmed; continued employment inappropriate. Proceed to Step 2d.
Law enforcement referral: Criminal conduct suspected. Proceed to Step 2e.
Implement the determined outcome:
2a. No action resolution: Meet with subject to confirm investigation is closed with no action. Acknowledge the impact of the investigation and express appreciation for their cooperation. Restore any restricted access. Discuss any support needed. Document closure.
2b. Informal action resolution: HR lead meets with subject to discuss findings and expectations. Document the conversation in a file note, not the personnel file. Monitor for recurrence for 12 months. Restore any restricted access.
2c. Formal disciplinary action: Transition to HR disciplinary procedure. The investigation report becomes input to the disciplinary process, but the disciplinary process has its own procedural requirements including the right to appeal. IT security involvement typically ends here unless access modifications are part of the sanction.
2d. Termination: Coordinate with HR on termination process. Follow User Offboarding procedures with enhanced attention to immediate access revocation. Preserve all evidence and documentation against potential employment tribunal claim. If termination is for gross misconduct, summary dismissal without notice may be appropriate; obtain legal advice before proceeding.
2e. Law enforcement referral: Consult legal counsel before any law enforcement contact. Preserve all evidence in its current state. Do not continue internal investigation activities that might compromise a criminal investigation. Coordinate timing of any employment action with law enforcement guidance.
Conduct post-investigation review within 30 days. Assess:
- Whether investigation procedures were followed correctly
- Whether the triggering indicators were appropriate
- Whether monitoring capabilities are adequate
- Whether policies need updating
- Lessons learned for future investigations
Document the review findings separately from the investigation file.
Manage investigation records per retention policy. Investigation records should be retained for:
- 6 years if no action taken (statute of limitations for most employment claims)
- Duration of employment plus 6 years if informal action
- Duration of employment plus 6 years if formal action
- Permanently if termination (may be needed for reference requests, future litigation)
Store investigation records separately from standard personnel files with restricted access.

Evidence chain of custody

Evidence collected during insider threat investigations must withstand scrutiny in employment tribunals and potentially criminal proceedings. Chain of custody documentation establishes that evidence has not been tampered with, modified, or taken out of context.

+------------------------------------------------------------------+
|                    EVIDENCE CHAIN OF CUSTODY                     |
+------------------------------------------------------------------+
|                                                                  |
|  +----------------+                                              |
|  | Evidence       |  Identify what needs preserving              |
|  | Identification |  Record location, format, size               |
|  +-------+--------+  Assign evidence reference number            |
|          |                                                       |
|          v                                                       |
|  +-------+--------+                                              |
|  | Collection     |  Extract using forensic methods              |
|  |                |  Calculate hash (SHA-256)                    |
|  +-------+--------+  Record collector, time, method              |
|          |                                                       |
|          v                                                       |
|  +-------+--------+                                              |
|  | Transfer       |  Document handover                           |
|  |                |  Both parties sign                           |
|  +-------+--------+  Record time, location, purpose              |
|          |                                                       |
|          v                                                       |
|  +-------+--------+                                              |
|  | Storage        |  Secure, access-controlled location          |
|  |                |  Log all access                              |
|  +-------+--------+  Maintain environmental conditions           |
|          |                                                       |
|          v                                                       |
|  +-------+--------+                                              |
|  | Analysis       |  Work on copies, never originals             |
|  |                |  Document all analysis steps                 |
|  +-------+--------+  Record analyst, tools, findings             |
|          |                                                       |
|          v                                                       |
|  +-------+--------+                                              |
|  | Presentation   |  Produce evidence with custody record        |
|  |                |  Verify hash matches original                |
|  +----------------+  Provide complete chain documentation        |
|                                                                  |
+------------------------------------------------------------------+

Figure 3: Evidence chain of custody flow showing documentation requirements at each stage

For each piece of evidence, maintain a custody log recording every transfer, access, and analysis event. The log should include:

Evidence reference number
Description of evidence
Original location and how identified
Collection date, time, and method
Collector name and role
Hash value at collection (SHA-256)
Each subsequent handler, with date, time, and purpose
Current storage location
Any analysis performed and by whom

Digital evidence presents particular challenges. Email, for example, exists in multiple locations: the sender’s sent folder, the recipient’s inbox, the email server, backup systems, and potentially archive systems. Collecting from one location does not preserve all instances, and metadata differs between locations. Document which instance was collected and why.

When working with external forensic specialists or law enforcement, they may require re-collection using their tools and methods. Facilitate this access while maintaining your own preserved copy for employment proceedings, which may have different standards than criminal proceedings.

False positive handling

Investigations that do not substantiate allegations require careful closure that protects the subject from lasting damage. An employee who learns they were investigated and cleared may reasonably feel their trust has been violated; how the organisation handles closure determines whether the employment relationship can continue productively.

When closing an investigation with no action:

Schedule a meeting with the subject that includes HR representation. Explain clearly that the investigation examined specific concerns, that those concerns are not substantiated, and that no further action will be taken. Do not minimise the investigation or the subject’s experience of it.

Acknowledge the impact. Being investigated for misconduct is stressful and potentially damaging to self-perception and workplace relationships. Offer access to employee assistance programmes or similar support.

Restore all access and remove all enhanced monitoring within 24 hours of closure. Verify with the subject that their access is fully restored.

Discuss confidentiality. The investigation was confidential, and the organisation has not disclosed it to colleagues. The subject may choose to discuss it or not; that is their decision. If the subject believes their reputation has been damaged by the investigation process, take their concerns seriously and investigate any leaks.

Document closure comprehensively. The closure documentation protects both the organisation (demonstrating fair process) and the subject (providing evidence of exoneration if questions arise later).

Consider whether any organisational changes are needed. If the triggering indicators were legitimate concerns about security controls, policy compliance, or system configuration, address those concerns independently of the individual investigation.

Communications

Investigation team internal communications

Use encrypted channels for all investigation communications. Do not discuss investigation details on standard email, messaging, or phone systems that may be logged or accessible to the subject.

Hold investigation status meetings in person or via secure video with no recording. Limit attendance to designated investigation team members.

Document decisions in the secure evidence repository, not in standard meeting notes or email.

Subject notification (initial meeting)

Deliver verbally in private meeting. Provide written summary within 24 hours.

Subject: Confidential workplace investigation
We are writing to confirm the matters discussed in our meeting on [date].
Concerns have been raised regarding [general description of concern without revealing evidence or source]. We are conducting an investigation to establish the facts. This investigation is being conducted under [relevant policy reference].
During the investigation period:
You have the right to be accompanied by a colleague or trade union representative at any investigatory meeting
You will have the opportunity to respond to any specific allegations before conclusions are reached
The investigation will be conducted confidentially; we ask that you also maintain confidentiality
[If applicable] Your access to [specific systems] has been temporarily restricted as a precaution; this is not a disciplinary sanction and will be reviewed as the investigation progresses
The investigation is expected to conclude within [timeframe]. You will be kept informed of progress and will have the opportunity to provide any information you consider relevant.
If you have questions about the process, please contact [HR lead name].
[Signature] [HR lead name and title]

Outcome notification (no action)

Deliver verbally in meeting, followed by written confirmation within 24 hours.

Subject: Conclusion of workplace investigation
We are writing to confirm that the investigation discussed in our meeting on [original notification date] has now concluded.
Having examined the relevant information and considered your response, we have determined that no further action is warranted. The investigation is now closed, and this matter will not affect your employment record or standing.
Any temporary access restrictions have been lifted with immediate effect. If you experience any access issues, please contact [IT contact].
We recognise that being subject to an investigation is a difficult experience. Support is available through [employee assistance programme or equivalent]. Please do not hesitate to discuss any concerns with [HR contact].
Thank you for your cooperation during this process.
[Signature] [Investigation sponsor name and title]

Manager notification (during investigation)

Keep minimal. Managers should know only that HR is handling a confidential matter and that they should not take independent action or discuss the matter with the subject beyond normal work interactions.

A confidential HR matter is in progress regarding [subject name]. Please continue normal management activities and direct any queries about this matter to [HR lead]. Do not discuss this notification with [subject name] or other staff. This is not an indication of any outcome; investigations establish facts and frequently conclude with no action.

Documentation requirements

Investigation documentation serves three purposes: guiding the investigation itself, demonstrating fair process if challenged, and providing evidence if legal proceedings result. Document with all three purposes in mind.

Investigation file contents:

Investigation authorisation (signed by sponsor)
Terms of reference defining scope
Chronological investigation log
All evidence with chain of custody records
Subject notification and all subsequent communications with subject
Interview notes (contemporaneous, signed by interviewer)
Witness statements (signed by witnesses)
Analysis documents
Preliminary and final investigation reports
Outcome notification
Closure documentation
Post-investigation review

Documentation standards:

Record facts, not interpretations. Write “Subject downloaded 847 files totalling 2.3GB between 14:00 and 16:30 on 15 March” not “Subject engaged in suspicious downloading activity.” Interpretation belongs in analysis sections clearly labelled as analysis.

Date and sign every document at the time of creation. Retrospective documentation carries less weight than contemporaneous records.

Preserve original formats. If evidence exists as an email, preserve the email with full headers, not just a copy of the text.

Store documentation securely with access logging. The investigation file should be accessible only to investigation team members during the investigation and to authorised HR/legal staff subsequently.