UnixTime

Research Note

A.5.20 Audit Evidence Pack

The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information s...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information sharing begins.

Evidence to request

Evidence Purpose
Supplier risk assessment Shows agreement requirements are risk-based
Supplier contract or agreement Shows requirements are formally agreed
Security schedule/addendum Shows detailed controls are included
Supplier responsibility matrix Shows control ownership between parties
Access approval records Shows access follows agreement readiness
Supplier security plan Shows supplier understands requirements
Deviation/exception records Shows unmet requirements are managed
Approval/signatory evidence Shows agreement is authorized
Termination and exit clauses Shows end-of-service obligations are defined

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Contract terms map to supplier access, information exposure, and service criticality.
  • Security requirements are agreed before supplier access begins.
  • Responsibilities are explicitly assigned.
  • Subcontractor, incident, audit, termination, and data handling terms are included where relevant.
  • Deviations are risk-assessed, approved, and reviewed.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Generic contract with no security clauses.
  • Supplier access granted before agreement completion.
  • Security requirements exist only in email.
  • No clear responsibility split.
  • No evidence of authorized approval.
  • Exceptions are accepted informally.

Sample interview questions

  • How do you decide which security clauses apply to each supplier?
  • Who approves supplier security requirements?
  • What prevents supplier access before requirements are agreed?
  • How are deviations from supplier security requirements approved?
  • How are subcontractor, incident, termination, and audit requirements handled?

Common nonconformities

  • Security requirements not included in supplier agreements.
  • Agreement does not match supplier risk.
  • Access granted before security terms are in place.
  • Supplier responsibilities unclear.
  • No documented approval for deviations.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 20

Note Metadata

Aliases: A.5.20 Evidence

Source: 04 Audit Evidence Packs/A.5.20 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.