What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and timing.
Evidence to request
| Evidence | Purpose |
|---|---|
| Event triage register | Shows the control can be verified |
| Incident categorization criteria | Shows the control can be verified |
| Point-of-contact list | Shows the control can be verified |
| Incident reporting records | Shows the control can be verified |
| Notification timeline criteria | Shows the control can be verified |
| Guidance change communication records | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Event records show receipt time, triage time, assessor, impact assessment, category, decision, and justification.
- Classification criteria are documented and available to points of contact.
- Major events are confirmed by the incident response role or team.
- Triage targets align with breach notification and contractual timescales.
- Changes to categorization guidance are communicated to points of contact.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Incident register exists but events are not recorded.
- Tickets are closed without explaining why they were not incidents.
- Triage depends on one person’s informal judgment.
- No documented incident categories or impact criteria.
- No evidence that notification timelines influence triage urgency.
Sample interview questions
- How are reported events assessed before they become incidents?
- Who can confirm the incident classification?
- Show a record where an event was not classified as an incident and explain why.
- What triage targets apply when notification deadlines may be involved?
- How are points of contact informed when categorization guidance changes?
Common nonconformities
- No distinction between event, weakness, and incident.
- Every alert is treated as an incident, overwhelming responders.
- Serious events are left in service desk queues without escalation.
- Classification decisions are not recorded.
- Triage categories are too vague to drive action.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 25
Note Metadata
Aliases: A.5.25 Evidence
Source: 04 Audit Evidence Packs/A.5.25 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- Audit Evidence MOC
- AQ-ISO27001-A.5.25 Assessment and Decision on Information Security Events
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.25 Assessment and Decision on Information Security Events
- A.5.25 Audit Checklist
- Event Triage and Incident Classification Register
- Audit Evidence Index