UnixTime

Research Note

A.5.10 Audit Evidence Pack

The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users and asset types.

Evidence to request

Evidence Purpose
Acceptable use policy or rules Shows permitted, restricted, and prohibited use
Information handling procedure Shows classification-based handling requirements
User acknowledgement records Shows users accepted the rules
Onboarding access records Shows acknowledgement before access
Logon warning banner Shows warning against unauthorized use
Monitoring or DLP records Shows misuse can be detected
Incident reports Shows misuse is identified and investigated
Corrective or disciplinary records Shows violations are acted on
External-party agreements Shows contractors and third parties are covered
Staff interview records Shows user awareness
Observation of sensitive handling Shows procedures work in practice

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Rules are clear, current, readable, and mapped to asset types.
  • Classification labels have practical handling instructions.
  • Users acknowledge rules before access.
  • Contractors and third-party users are covered.
  • Misuse is monitored, investigated, and corrected.
  • Incident lessons improve rules or awareness.
  • External agreements enforce equivalent handling expectations.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Generic acceptable use policy with no local tailoring.
  • No handling rules for sensitive information.
  • Acknowledgements are missing or after access.
  • Rules ignore paper, printers, removable media, cloud tools, or third parties.
  • No evidence of monitoring or response.
  • Users cannot explain inappropriate use.

Sample interview questions

Ask users

  • What are you allowed and not allowed to do with company systems?
  • How do you handle confidential information?
  • Can you use personal email or cloud storage for work data?
  • What do you do if you accidentally send information to the wrong person?
  • Are contractors subject to the same rules?

Ask managers

  • How do you ensure your team follows acceptable use rules?
  • What happens after misuse or non-compliance?
  • How do you reinforce handling rules for sensitive information?

Ask security or IT

  • How is misuse detected?
  • How are acceptable use violations investigated?
  • Are warning banners or monitoring controls in place?

Common nonconformities

  • No documented acceptable use rules.
  • No classification-based handling procedures.
  • Users have not acknowledged rules.
  • Contractors or third parties excluded.
  • Rules not implemented or enforced.
  • Misuse incidents do not trigger corrective action.
  • Sensitive information handling is inconsistent.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 10

Note Metadata

Aliases: A.5.10 Evidence

Source: 04 Audit Evidence Packs/A.5.10 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.