What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.
Evidence to request
| Evidence | Purpose |
|---|---|
| Top-level information security policy | Proves policy exists |
| Topic-specific policies | Shows supporting policy structure |
| Policy register | Shows ownership, version, approval, status |
| Approval records | Proves management approval |
| Version history/change log | Proves document control |
| Intranet/GRC policy portal screenshot | Proves publication and accessibility |
| Communication records | Proves policy was communicated |
| Acknowledgement records | Proves relevant personnel accepted |
| New hire onboarding checklist | Proves onboarding communication |
| Supplier security requirements | Proves relevant external party communication |
| Review schedule | Proves planned review |
| Review meeting records | Proves completed reviews |
| Incident/change-triggered review records | Proves event-driven review |
| Exception register | Proves non-compliance and exceptions are handled |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Approved, current policy with owner, version, approval date, and review date.
- Policy visible to relevant staff in a controlled repository.
- Employees have acknowledged current policy.
- Topic-specific policies are linked and consistent.
- External parties receive appropriate redacted or contractual requirements.
- Review records show planned and triggered reviews.
- Policy updates were communicated.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Draft or unsigned policy.
- No owner or next review date.
- Policy stored in an uncontrolled folder.
- No evidence employees saw it.
- No acknowledgement records.
- Topic-specific policies contradict one another.
- Policy not updated after major incident or organizational change.
Sample interview questions
Ask employees
- Where can you find the information security policy?
- What are your main information security responsibilities?
- How are you informed when policies change?
- How do you report a suspected security incident?
Ask policy owner
- Who approves the policy?
- How often is it reviewed?
- What triggers an out-of-cycle review?
- How do you confirm relevant people acknowledged the policy?
- How do you control external distribution?
Ask management
- How does the policy reflect management commitment?
- How are policy exceptions approved?
- How are non-compliances handled?
Common nonconformities
- Policy is not approved by management.
- Policy is not communicated or acknowledged.
- Policy lacks owner and review schedule.
- Review did not occur as planned.
- Topic-specific policies are incomplete or inconsistent.
- External parties are not informed of relevant requirements.
- Policy is not under version/change control.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 1
Note Metadata
Aliases: A.5.1 Evidence
Source: 04 Audit Evidence Packs/A.5.1 Audit Evidence Pack.md