UnixTime

Research Note

A.5.2 Audit Evidence Pack

The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to employees, contractors, and third parties.

Evidence to request

Evidence Purpose
Information security organization chart Shows overall structure
CISO/ISMS Manager appointment or job description Shows overall responsibility
RACI matrix Shows responsibility and accountability
Control owner register Shows control accountability
Job descriptions Shows role-level responsibilities
Role-specific responsibility documents Shows detailed security duties
Employee handbook/security addendum Shows baseline responsibilities
Policy acknowledgement records Shows acceptance
Training records Shows communication and competence
Contracts/SOWs for contractors Shows third-party responsibilities
Supplier security clauses Shows outsourced responsibility allocation
Role change records Shows responsibilities updated when roles change
Delegation records Shows delegated tasks and accountable oversight
Performance review records for security roles Shows security objectives and follow-up

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Named information security leader.
  • Job descriptions include security responsibilities.
  • Privileged roles have detailed responsibilities.
  • Employees and contractors acknowledge responsibilities.
  • RACI identifies accountable owners for ISMS processes.
  • Control owner register is current.
  • Role changes trigger updates and training.
  • Outsourced activities have internal owner and supplier obligations.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • “Everyone knows what to do.”
  • No named security owner.
  • Generic responsibilities only, even for privileged roles.
  • Contractors have access but no documented obligations.
  • Job descriptions outdated.
  • Policies and procedures conflict.
  • Delegated tasks have no verification.
  • No primary accountable owner for key controls.

Sample interview questions

Ask employees

  • What are your basic information security responsibilities?
  • Where can you find security policies?
  • How do you report a suspected incident?
  • What training have you completed?

Ask managers

  • What security responsibilities do you have for your team?
  • How do you ensure staff complete required training?
  • How are role changes handled?
  • How are contractors under your supervision informed of responsibilities?

Ask system owners

  • What systems or assets do you own?
  • Who approves access?
  • How often do you review access?
  • What controls are you accountable for?

Ask security leadership

  • Who has overall security responsibility?
  • How are responsibilities allocated across the ISMS?
  • How do you prevent gaps or overlaps?
  • How are outsourced activities governed?

Common nonconformities

  • Security responsibilities not documented.
  • Contractors and third parties excluded.
  • No accountability for specific controls.
  • Role changes not reflected in documentation.
  • Employees unaware of assigned responsibilities.
  • CISO/security team assigned all risk ownership.
  • Delegation not documented or verified.
  • Responsibilities inconsistent across documents.