UnixTime

Research Note

A.5.13 Audit Evidence Pack

The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.

Evidence to request

Evidence Purpose
Labelling procedure Shows labelling rules are defined
Classification scheme Shows labels align to classification levels
Sample labelled documents Shows labels are applied
Sensitivity label configuration Shows digital labelling is implemented
Email or DLP label settings Shows transmission controls support labels
Repository/folder classification rules Shows contextual labelling exists
Training records Shows users understand labels
External data exchange procedure Shows third-party labels are interpreted
Review or expiry records Shows labels are updated when sensitivity changes

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Labelling procedure maps clearly to classification levels.
  • Labels are visible or otherwise actionable at the point of use.
  • Physical and digital formats are covered.
  • Labels persist through printing, export, email, or transfer where practical.
  • External labels are mapped to internal handling rules.
  • Users can explain what labels mean and how to apply them.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Classification exists but labelling procedure is missing.
  • Digital information is not labelled.
  • Labels disappear when printed or exported.
  • Labels are inconsistent or hard to find.
  • External labels are accepted without interpretation.
  • Users do not know what action a label requires.

Sample interview questions

Ask users

  • How do you label confidential information?
  • What happens when you print or forward labelled information?
  • What do you do if external information has a label you do not recognize?

Ask asset owners

  • Who decides the label for your information?
  • How do you ensure labels represent the most sensitive content?
  • When do labels expire or change?

Ask IT/security

  • What technical labelling tools are used?
  • Do labels persist through email, printing, export, or repository moves?
  • How are system or folder-level labels managed?

Common nonconformities

  • No labelling procedure.
  • Labels not aligned to classification scheme.
  • Physical documents labelled but digital information not covered.
  • Labels do not persist when information changes form.
  • Most sensitive content in a container is not reflected in the label.
  • External labels are not mapped.
  • Users do not understand labels.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 13

Note Metadata

Aliases: A.5.13 Evidence

Source: 04 Audit Evidence Packs/A.5.13 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.