What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting providers, and other dependencies.
Evidence to request
| Evidence | Purpose |
|---|---|
| ICT supply-chain risk register | Shows dependencies are identified |
| Supplier risk assessments | Shows inherited risks are evaluated |
| Subcontractor disclosures | Shows delegated service parties are known |
| Service architecture descriptions | Shows delivery dependencies |
| Agreement clauses | Shows flow-down and notification obligations |
| Assurance reports/certifications | Supports supplier control claims |
| Change notifications | Shows supply-chain changes are monitored |
| Incident reports | Shows supply-chain issues are escalated |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Critical ICT suppliers have recorded dependency information.
- Risk assessment includes hosting, support, subcontractors, and data location.
- Agreements require notification of material supply-chain changes.
- High-risk supplier assurance is reviewed.
- Supplier changes trigger reassessment.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Supplier review only covers the direct vendor.
- No subcontractor or hosting visibility.
- Contracts do not require supply-chain notifications.
- Supplier changes are discovered informally.
- No risk-based depth of review.
Sample interview questions
- Which ICT suppliers are most critical?
- Which subcontractors or hosting providers support those services?
- How are material supplier changes notified and approved?
- How are flow-down security obligations handled?
- What assurance evidence is reviewed for critical ICT suppliers?
Common nonconformities
- ICT supply-chain dependencies not identified.
- Indirect supplier risk not assessed.
- No subcontractor or platform change notification clause.
- No review of supplier assurance.
- No risk reassessment after supplier dependency changes.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 21
Note Metadata
Aliases: A.5.21 Evidence
Source: 04 Audit Evidence Packs/A.5.21 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- Audit Evidence MOC
- AQ-ISO27001-A.5.21 Managing Information Security in the ICT Supply Chain
- A.5 Organizational Controls Audit Guide
- A.5.21 Audit Checklist
- ICT Supply Chain Risk Register
- Supplier Security Agreement Requirements Checklist
- Audit Evidence Index