UnixTime

Research Note

A.5.23 Audit Evidence Pack

The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization's information security requirements.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization’s information security requirements.

Evidence to request

Evidence Purpose
Cloud service register Shows cloud services are known and owned
Cloud risk assessments Shows cloud-specific risks are assessed
Shared responsibility matrix Shows responsibility split is understood
Security requirements checklist Shows acquisition criteria are defined
Cloud agreements/security addenda Shows requirements are formally addressed
Configuration evidence Shows required controls are enabled
Provider assurance reports Shows provider controls are reviewed
Service dashboards/reports Shows service performance is monitored
Incident notification records Shows incidents are communicated and reviewed
Exit plan Shows migration, deletion, and termination are planned

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Cloud register includes owner, classification, provider, location, support model, and exit status.
  • Risk assessments include data location, support location, shared responsibility, provider terms, configuration, and exit.
  • Security features such as encryption, logging, MFA, backup, and monitoring are enabled or risk-accepted.
  • Provider incident notifications are proactive and reviewed.
  • Critical cloud services have exit plans.
  • Risks above tolerance are approved by appropriate management.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Cloud services tracked only through finance spend.
  • Provider certification accepted without customer-side responsibility review.
  • Data location is unknown.
  • Security options exist but are not enabled.
  • Incident notifications require manual portal checks only.
  • No exit plan.

Sample interview questions

  • How are cloud services approved before use?
  • Who owns each cloud service?
  • How do you know where data is stored or supported from?
  • How are shared responsibilities documented?
  • Which security features are mandatory for this cloud service?
  • How are provider incidents communicated and acted on?
  • What is the exit plan for a critical cloud service?

Common nonconformities

  • No cloud service register.
  • No cloud-specific risk assessment.
  • Shared responsibility not defined.
  • Required cloud security features not enabled.
  • Provider risks above tolerance not formally accepted.
  • No cloud exit process.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 23

Note Metadata

Aliases: A.5.23 Evidence

Source: 04 Audit Evidence Packs/A.5.23 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.