What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, and ready to operate.
Evidence to request
| Evidence | Purpose |
|---|---|
| Incident management procedure | Shows process is defined |
| Incident response plan/playbooks | Shows response steps exist |
| Roles and responsibilities matrix | Shows accountability is assigned |
| Reporting channel evidence | Shows events can be reported |
| Incident register | Shows events are tracked |
| Triage/investigation records | Shows reports are reviewed |
| Recovery records | Shows recovery is triggered where needed |
| Exercise/tabletop records | Shows readiness is tested |
| Lessons learned records | Shows improvement happens |
| Corrective action records | Shows root causes are addressed |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Process covers triage, escalation, investigation, containment, recovery, communication, evidence handling, and review.
- Roles are assigned to named functions or owners.
- Personnel know how to report events and weaknesses.
- Sample incidents show review, action, closure, and lessons learned.
- Exercises test likely scenarios.
- Incident outcomes feed risk review and corrective action.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Incident plan exists but no one knows how to report.
- Roles are generic or unassigned.
- Incidents handled only through informal chat.
- No escalation criteria.
- No exercise evidence.
- No post-incident review or corrective action.
Sample interview questions
- How should staff report a suspected incident or weakness?
- Who triages reported events?
- What makes an incident major or reportable?
- Who approves communications during an incident?
- How are recovery procedures triggered?
- Show a recent event and how it was reviewed.
- How are lessons learned captured?
Common nonconformities
- No incident management process.
- Reporting channels not communicated.
- Roles and responsibilities unclear.
- No incident register.
- No evidence of testing or exercises.
- Lessons learned not performed.
- Corrective actions not tracked.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 24
Note Metadata
Aliases: A.5.24 Evidence
Source: 04 Audit Evidence Packs/A.5.24 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- Audit Evidence MOC
- AQ-ISO27001-A.5.24 Information Security Incident Management Planning and Preparation
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.24 Information Security Incident Management Planning and Preparation
- A.5.24 Audit Checklist
- Incident Management Plan
- Incident Roles and Communications Matrix
- Audit Evidence Index