UnixTime

Research Note

A.5.15 Audit Evidence Pack

The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.

Evidence to request

Evidence Purpose
Access control policy Shows access rules are documented
Access control matrix Shows role-based or asset-based access rules
Access request and approval records Shows access is authorized
Asset owner approvals Shows access is controlled by accountable owners
Access review records Shows access is periodically checked
Leaver and mover records Shows access changes after role or employment changes
Privileged access register Shows high-risk access is controlled
Physical access records Shows premises access is governed
System access exports Allows actual access testing
Exception records Shows deviations are risk-managed

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Access policy defines least privilege, need-to-know, need-to-use, approvals, reviews, and removals.
  • Access is traceable to business need and owner approval.
  • Role-based profiles are defined and reviewed.
  • Sensitive assets have tighter access rules.
  • Access reviews result in removals or corrections.
  • Leaver and mover changes are prompt.
  • Senior and privileged access is justified and monitored.
  • Physical and logical access are both addressed.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Access granted because someone asked.
  • Senior staff have broad access without justification.
  • Reviews confirm account existence but not business need.
  • Asset owners do not approve access.
  • Sensitive repositories use broad groups.
  • Privileged access not reviewed separately.
  • Physical access not reviewed.

Sample interview questions

Ask asset owners

  • Who approves access to your asset?
  • How do you know access matches business need?
  • How often do you review access?
  • What happens when someone no longer needs access?

Ask IT/security

  • How is access provisioned?
  • How are role-based profiles managed?
  • How is privileged access controlled?
  • How do you detect excessive access?

Ask managers

  • How do you request access for team members?
  • How do role changes trigger access changes?
  • What access should senior staff have and why?

Common nonconformities

  • No access control policy.
  • Access not linked to business need.
  • Access not approved by owner or authorized role.
  • Least privilege not applied.
  • Access reviews not performed or ineffective.
  • Mover access not updated.
  • Privileged access excessive or unjustified.
  • Physical access ignored.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 15

Note Metadata

Aliases: A.5.15 Evidence

Source: 04 Audit Evidence Packs/A.5.15 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.