UnixTime

Research Note

A.5.19 Audit Evidence Pack

The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.

Evidence to request

Evidence Purpose
Supplier security policy Shows principles are defined
Supplier security procedure Shows process is implemented
Master supplier list Shows suppliers are known
Supplier risk assessments Shows supplier risks are assessed
Supplier security register Shows exposure, owner, tier, and agreement data
Supplier agreements Shows requirements are contractual
Security questionnaires/assurance evidence Shows due diligence
Supplier access records Shows access is controlled
Subcontractor records Shows delegated work is managed
Supplier review records Shows ongoing oversight
Supplier incident records Shows supplier issues are handled

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Supplier list includes owner, service, information exposure, access type, risk tier, and agreement reference.
  • Supplier risk is assessed before onboarding and reviewed periodically.
  • Agreements reflect information sensitivity and service impact.
  • High-risk suppliers provide assurance evidence.
  • Supplier access is tied to access and identity processes.
  • Subcontractor use is known and controlled.
  • Supplier changes and incidents trigger review.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Procurement list exists but no security assessment.
  • Supplier security handled informally.
  • No record of supplier information exposure.
  • Security terms missing from contracts.
  • Subcontractors unknown.
  • Supplier access not reviewed.
  • All suppliers receive the same superficial review.

Sample interview questions

  • Which suppliers can access sensitive information or systems?
  • Who owns each supplier relationship?
  • How are supplier risks assessed?
  • How are supplier security requirements put into contracts?
  • How are subcontractors controlled?
  • How often are suppliers reviewed?
  • What happens after a supplier security incident?

Common nonconformities

  • No supplier security process.
  • No master supplier list.
  • Supplier owner missing.
  • Supplier risk assessments not performed.
  • Agreements do not address security.
  • Supplier access not governed.
  • Subcontractor risk ignored.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 19

Note Metadata

Aliases: A.5.19 Evidence

Source: 04 Audit Evidence Packs/A.5.19 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.