What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to employees, contractors, and third parties.
Evidence to request
| Evidence | Purpose |
|---|---|
| Information security organization chart | Shows overall structure |
| CISO/ISMS Manager appointment or job description | Shows overall responsibility |
| RACI matrix | Shows responsibility and accountability |
| Control owner register | Shows control accountability |
| Job descriptions | Shows role-level responsibilities |
| Role-specific responsibility documents | Shows detailed security duties |
| Employee handbook/security addendum | Shows baseline responsibilities |
| Policy acknowledgement records | Shows acceptance |
| Training records | Shows communication and competence |
| Contracts/SOWs for contractors | Shows third-party responsibilities |
| Supplier security clauses | Shows outsourced responsibility allocation |
| Role change records | Shows responsibilities updated when roles change |
| Delegation records | Shows delegated tasks and accountable oversight |
| Performance review records for security roles | Shows security objectives and follow-up |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Named information security leader.
- Job descriptions include security responsibilities.
- Privileged roles have detailed responsibilities.
- Employees and contractors acknowledge responsibilities.
- RACI identifies accountable owners for ISMS processes.
- Control owner register is current.
- Role changes trigger updates and training.
- Outsourced activities have internal owner and supplier obligations.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- “Everyone knows what to do.”
- No named security owner.
- Generic responsibilities only, even for privileged roles.
- Contractors have access but no documented obligations.
- Job descriptions outdated.
- Policies and procedures conflict.
- Delegated tasks have no verification.
- No primary accountable owner for key controls.
Sample interview questions
Ask employees
- What are your basic information security responsibilities?
- Where can you find security policies?
- How do you report a suspected incident?
- What training have you completed?
Ask managers
- What security responsibilities do you have for your team?
- How do you ensure staff complete required training?
- How are role changes handled?
- How are contractors under your supervision informed of responsibilities?
Ask system owners
- What systems or assets do you own?
- Who approves access?
- How often do you review access?
- What controls are you accountable for?
Ask security leadership
- Who has overall security responsibility?
- How are responsibilities allocated across the ISMS?
- How do you prevent gaps or overlaps?
- How are outsourced activities governed?
Common nonconformities
- Security responsibilities not documented.
- Contractors and third parties excluded.
- No accountability for specific controls.
- Role changes not reflected in documentation.
- Employees unaware of assigned responsibilities.
- CISO/security team assigned all risk ownership.
- Delegation not documented or verified.
- Responsibilities inconsistent across documents.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 2
Note Metadata
Aliases: A.5.2 Evidence
Source: 04 Audit Evidence Packs/A.5.2 Audit Evidence Pack.md
Related Notes
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- Audit Evidence MOC
- AQ-ISO27001-A.5.2 Information Security Roles and Responsibilities
- A.5 Organizational Controls Audit Guide
- Template - Control Owner Register
- Template - Information Security Role Definition
- Template - RACI Matrix
- Audit Evidence Index