UnixTime

Research Note

A.5.12 Audit Evidence Pack

The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availabi...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availability, business needs, and relevant interested-party requirements.

Evidence to request

Evidence Purpose
Classification policy or standard Shows the scheme is defined
Classification and handling matrix Shows labels drive protection requirements
Information asset inventory Shows classification is recorded for assets
Owner approval records Shows asset owners classify or approve classification
Training records Shows staff understand the scheme
Review or reclassification records Shows classification is maintained
External classification mapping Shows third-party labels are understood
Sampled documents/data sets Shows classification is applied
Risk assessment records Shows classification supports protection decisions

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Classification levels have clear definitions.
  • Handling rules differ by classification.
  • Asset owners assign or approve classification.
  • Classification is recorded in the inventory.
  • Users understand the labels.
  • Classifications are reviewed and changed when sensitivity changes.
  • External classification schemes are mapped to internal handling rules.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Labels exist without definitions.
  • Too many confusing levels.
  • All information marked confidential by default.
  • Classification not linked to handling requirements.
  • Classification missing from asset inventory.
  • No process to downgrade stale information.
  • Staff cannot explain what labels mean.

Sample interview questions

Ask asset owners

  • Which assets do you own and how are they classified?
  • What factors drive the classification?
  • When would you upgrade or downgrade the classification?
  • How do you confirm handling rules are followed?

Ask users

  • What classification labels do you use?
  • What does each label require you to do?
  • How do you classify new documents or data?
  • What do you do with client-provided labels?

Ask security or compliance

  • How is the classification scheme maintained?
  • How is it mapped to external or client classifications?
  • How is classification reviewed?

Common nonconformities

  • No documented classification scheme.
  • Classification scheme too complex or unclear.
  • Classification not applied to in-scope information.
  • No handling rules by classification.
  • Asset owners not involved.
  • No review or reclassification process.
  • External labels misunderstood.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 12

Note Metadata

Aliases: A.5.12 Evidence

Source: 04 Audit Evidence Packs/A.5.12 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.