What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.
Evidence to request
| Evidence | Purpose |
|---|---|
| Supplier monitoring procedure | Shows review process is defined |
| Supplier review calendar | Shows reviews are planned |
| Service and security reports | Shows supplier performance is monitored |
| Review records/minutes | Shows reports are evaluated |
| Action and nonconformity logs | Shows issues are followed up |
| Supplier change records | Shows changes are assessed |
| Updated risk assessments | Shows changes trigger reassessment |
| Contract variation records | Shows agreements are updated |
| Supplier incident records | Shows incidents are escalated |
| Supplier audit reports | Shows audit rights are used where relevant |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- High-risk suppliers have named owners and scheduled reviews.
- Reports are reviewed and actions are tracked.
- Material changes trigger risk reassessment and approval.
- Supplier incidents link to the organization’s incident process.
- Nonconformities have corrective actions and follow-up.
- Contract changes include security, legal, procurement, and business review where relevant.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Supplier reports are stored but not reviewed.
- No supplier owner for monitoring.
- Changes are accepted without risk review.
- Incidents remain inside the supplier process.
- SLA review ignores security practices.
- No evidence that audit findings are resolved.
Sample interview questions
- Who reviews supplier security and service reports?
- How are supplier changes assessed before approval?
- What happens when a supplier fails a security requirement?
- How are supplier incidents escalated internally?
- How are supplier audit findings followed up?
Common nonconformities
- No ongoing supplier monitoring process.
- Supplier reviews not performed.
- Supplier changes not risk-assessed.
- Supplier incidents not escalated.
- Corrective actions not tracked.
- Reviewers lack time or competence.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 22
Note Metadata
Aliases: A.5.22 Evidence
Source: 04 Audit Evidence Packs/A.5.22 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- Audit Evidence MOC
- AQ-ISO27001-A.5.22 Monitoring, Review and Change Management of Supplier Services
- A.5 Organizational Controls Audit Guide
- A.5.22 Audit Checklist
- Template - Corrective Action Tracker
- Supplier Service Review and Change Log
- Audit Evidence Index