UnixTime

Research Note

A.5.1 Audit Evidence Pack

The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.

Evidence to request

Evidence Purpose
Top-level information security policy Proves policy exists
Topic-specific policies Shows supporting policy structure
Policy register Shows ownership, version, approval, status
Approval records Proves management approval
Version history/change log Proves document control
Intranet/GRC policy portal screenshot Proves publication and accessibility
Communication records Proves policy was communicated
Acknowledgement records Proves relevant personnel accepted
New hire onboarding checklist Proves onboarding communication
Supplier security requirements Proves relevant external party communication
Review schedule Proves planned review
Review meeting records Proves completed reviews
Incident/change-triggered review records Proves event-driven review
Exception register Proves non-compliance and exceptions are handled

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Approved, current policy with owner, version, approval date, and review date.
  • Policy visible to relevant staff in a controlled repository.
  • Employees have acknowledged current policy.
  • Topic-specific policies are linked and consistent.
  • External parties receive appropriate redacted or contractual requirements.
  • Review records show planned and triggered reviews.
  • Policy updates were communicated.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Draft or unsigned policy.
  • No owner or next review date.
  • Policy stored in an uncontrolled folder.
  • No evidence employees saw it.
  • No acknowledgement records.
  • Topic-specific policies contradict one another.
  • Policy not updated after major incident or organizational change.

Sample interview questions

Ask employees

  • Where can you find the information security policy?
  • What are your main information security responsibilities?
  • How are you informed when policies change?
  • How do you report a suspected security incident?

Ask policy owner

  • Who approves the policy?
  • How often is it reviewed?
  • What triggers an out-of-cycle review?
  • How do you confirm relevant people acknowledged the policy?
  • How do you control external distribution?

Ask management

  • How does the policy reflect management commitment?
  • How are policy exceptions approved?
  • How are non-compliances handled?

Common nonconformities

  • Policy is not approved by management.
  • Policy is not communicated or acknowledged.
  • Policy lacks owner and review schedule.
  • Review did not occur as planned.
  • Topic-specific policies are incomplete or inconsistent.
  • External parties are not informed of relevant requirements.
  • Policy is not under version/change control.