What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.
Evidence to request
| Evidence | Purpose |
|---|---|
| Labelling procedure | Shows labelling rules are defined |
| Classification scheme | Shows labels align to classification levels |
| Sample labelled documents | Shows labels are applied |
| Sensitivity label configuration | Shows digital labelling is implemented |
| Email or DLP label settings | Shows transmission controls support labels |
| Repository/folder classification rules | Shows contextual labelling exists |
| Training records | Shows users understand labels |
| External data exchange procedure | Shows third-party labels are interpreted |
| Review or expiry records | Shows labels are updated when sensitivity changes |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Labelling procedure maps clearly to classification levels.
- Labels are visible or otherwise actionable at the point of use.
- Physical and digital formats are covered.
- Labels persist through printing, export, email, or transfer where practical.
- External labels are mapped to internal handling rules.
- Users can explain what labels mean and how to apply them.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Classification exists but labelling procedure is missing.
- Digital information is not labelled.
- Labels disappear when printed or exported.
- Labels are inconsistent or hard to find.
- External labels are accepted without interpretation.
- Users do not know what action a label requires.
Sample interview questions
Ask users
- How do you label confidential information?
- What happens when you print or forward labelled information?
- What do you do if external information has a label you do not recognize?
Ask asset owners
- Who decides the label for your information?
- How do you ensure labels represent the most sensitive content?
- When do labels expire or change?
Ask IT/security
- What technical labelling tools are used?
- Do labels persist through email, printing, export, or repository moves?
- How are system or folder-level labels managed?
Common nonconformities
- No labelling procedure.
- Labels not aligned to classification scheme.
- Physical documents labelled but digital information not covered.
- Labels do not persist when information changes form.
- Most sensitive content in a container is not reflected in the label.
- External labels are not mapped.
- Users do not understand labels.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 13
Note Metadata
Aliases: A.5.13 Evidence
Source: 04 Audit Evidence Packs/A.5.13 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.