What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availability, business needs, and relevant interested-party requirements.
Evidence to request
| Evidence | Purpose |
|---|---|
| Classification policy or standard | Shows the scheme is defined |
| Classification and handling matrix | Shows labels drive protection requirements |
| Information asset inventory | Shows classification is recorded for assets |
| Owner approval records | Shows asset owners classify or approve classification |
| Training records | Shows staff understand the scheme |
| Review or reclassification records | Shows classification is maintained |
| External classification mapping | Shows third-party labels are understood |
| Sampled documents/data sets | Shows classification is applied |
| Risk assessment records | Shows classification supports protection decisions |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Classification levels have clear definitions.
- Handling rules differ by classification.
- Asset owners assign or approve classification.
- Classification is recorded in the inventory.
- Users understand the labels.
- Classifications are reviewed and changed when sensitivity changes.
- External classification schemes are mapped to internal handling rules.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Labels exist without definitions.
- Too many confusing levels.
- All information marked confidential by default.
- Classification not linked to handling requirements.
- Classification missing from asset inventory.
- No process to downgrade stale information.
- Staff cannot explain what labels mean.
Sample interview questions
Ask asset owners
- Which assets do you own and how are they classified?
- What factors drive the classification?
- When would you upgrade or downgrade the classification?
- How do you confirm handling rules are followed?
Ask users
- What classification labels do you use?
- What does each label require you to do?
- How do you classify new documents or data?
- What do you do with client-provided labels?
Ask security or compliance
- How is the classification scheme maintained?
- How is it mapped to external or client classifications?
- How is classification reviewed?
Common nonconformities
- No documented classification scheme.
- Classification scheme too complex or unclear.
- Classification not applied to in-scope information.
- No handling rules by classification.
- Asset owners not involved.
- No review or reclassification process.
- External labels misunderstood.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 12
Note Metadata
Aliases: A.5.12 Evidence
Source: 04 Audit Evidence Packs/A.5.12 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.