What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.
Evidence to request
| Evidence | Purpose |
|---|---|
| Access control policy | Shows access rules are documented |
| Access control matrix | Shows role-based or asset-based access rules |
| Access request and approval records | Shows access is authorized |
| Asset owner approvals | Shows access is controlled by accountable owners |
| Access review records | Shows access is periodically checked |
| Leaver and mover records | Shows access changes after role or employment changes |
| Privileged access register | Shows high-risk access is controlled |
| Physical access records | Shows premises access is governed |
| System access exports | Allows actual access testing |
| Exception records | Shows deviations are risk-managed |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Access policy defines least privilege, need-to-know, need-to-use, approvals, reviews, and removals.
- Access is traceable to business need and owner approval.
- Role-based profiles are defined and reviewed.
- Sensitive assets have tighter access rules.
- Access reviews result in removals or corrections.
- Leaver and mover changes are prompt.
- Senior and privileged access is justified and monitored.
- Physical and logical access are both addressed.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Access granted because someone asked.
- Senior staff have broad access without justification.
- Reviews confirm account existence but not business need.
- Asset owners do not approve access.
- Sensitive repositories use broad groups.
- Privileged access not reviewed separately.
- Physical access not reviewed.
Sample interview questions
Ask asset owners
- Who approves access to your asset?
- How do you know access matches business need?
- How often do you review access?
- What happens when someone no longer needs access?
Ask IT/security
- How is access provisioned?
- How are role-based profiles managed?
- How is privileged access controlled?
- How do you detect excessive access?
Ask managers
- How do you request access for team members?
- How do role changes trigger access changes?
- What access should senior staff have and why?
Common nonconformities
- No access control policy.
- Access not linked to business need.
- Access not approved by owner or authorized role.
- Least privilege not applied.
- Access reviews not performed or ineffective.
- Mover access not updated.
- Privileged access excessive or unjustified.
- Physical access ignored.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 15
Note Metadata
Aliases: A.5.15 Evidence
Source: 04 Audit Evidence Packs/A.5.15 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.