UnixTime

Research Note

A.5.24 Audit Evidence Pack

The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, an...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, and ready to operate.

Evidence to request

Evidence Purpose
Incident management procedure Shows process is defined
Incident response plan/playbooks Shows response steps exist
Roles and responsibilities matrix Shows accountability is assigned
Reporting channel evidence Shows events can be reported
Incident register Shows events are tracked
Triage/investigation records Shows reports are reviewed
Recovery records Shows recovery is triggered where needed
Exercise/tabletop records Shows readiness is tested
Lessons learned records Shows improvement happens
Corrective action records Shows root causes are addressed

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Process covers triage, escalation, investigation, containment, recovery, communication, evidence handling, and review.
  • Roles are assigned to named functions or owners.
  • Personnel know how to report events and weaknesses.
  • Sample incidents show review, action, closure, and lessons learned.
  • Exercises test likely scenarios.
  • Incident outcomes feed risk review and corrective action.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Incident plan exists but no one knows how to report.
  • Roles are generic or unassigned.
  • Incidents handled only through informal chat.
  • No escalation criteria.
  • No exercise evidence.
  • No post-incident review or corrective action.

Sample interview questions

  • How should staff report a suspected incident or weakness?
  • Who triages reported events?
  • What makes an incident major or reportable?
  • Who approves communications during an incident?
  • How are recovery procedures triggered?
  • Show a recent event and how it was reviewed.
  • How are lessons learned captured?

Common nonconformities

  • No incident management process.
  • Reporting channels not communicated.
  • Roles and responsibilities unclear.
  • No incident register.
  • No evidence of testing or exercises.
  • Lessons learned not performed.
  • Corrective actions not tracked.