UnixTime

Research Note

A.5.14 Audit Evidence Pack

The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across all relevant transfer channels.

Evidence to request

Evidence Purpose
Information transfer policy Shows transfer rules are documented
Transfer rules matrix Shows approved channels by classification
Secure transfer procedure Shows users know how to transfer sensitive information
Approved messaging/platform list Shows permitted services are defined
Third-party transfer agreements Shows external transfers are contractually controlled
User training records Shows users understand transfer risks
DLP, mail gateway, or file-sharing configuration Shows technical controls support policy
Secure transfer logs Shows sensitive transfers are controlled and traceable
External messaging access records Shows platform access is restricted where required
Incident records Shows transfer failures are identified and corrected

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Rules cover email, messaging, file sharing, physical transfer, verbal transfer, removable media, and third-party exchange.
  • Transfer methods are mapped to classification or sensitivity.
  • Sensitive transfer uses encryption, recipient verification, access control, secure portals, or logging.
  • Third-party agreements define transfer controls and review requirements.
  • Users can explain which channels are permitted for sensitive information.
  • Technical controls detect or block prohibited transfer methods.
  • Transfer incidents lead to corrective action.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Policy only says “use secure methods.”
  • No approved channel list.
  • Sensitive information is sent by normal email without compensating controls.
  • Third-party transfer arrangements are undocumented.
  • External messaging platforms are used informally.
  • Physical transfer and phone conversations are ignored.
  • Staff cannot explain transfer rules.

Sample interview questions

Ask users

  • Which tools are approved for sending confidential information?
  • What do you do before sending sensitive information externally?
  • Can you use personal messaging or consumer cloud storage?
  • How do you handle sensitive printouts or courier transfer?
  • What would you do if you sent information to the wrong person?

Ask security or IT

  • How are approved transfer channels enforced?
  • What external messaging platforms are allowed?
  • How is external sharing monitored?
  • What malware, source, or integrity checks apply to incoming data?
  • Which third parties receive sensitive information?
  • Do agreements define transfer controls?
  • How are changes in transfer practice reviewed?

Common nonconformities

  • No information transfer policy or procedure.
  • Rules do not cover all actual transfer channels.
  • No mapping between classification and transfer method.
  • Third-party transfers not governed by agreements.
  • External messaging platforms unmanaged.
  • No technical enforcement or monitoring.
  • Transfer incidents not reviewed for improvement.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 14

Note Metadata

Aliases: A.5.14 Evidence

Source: 04 Audit Evidence Packs/A.5.14 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.