UnixTime

Research Note

A.5.25 Audit Evidence Pack

The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and tim...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and timing.

Evidence to request

Evidence Purpose
Event triage register Shows the control can be verified
Incident categorization criteria Shows the control can be verified
Point-of-contact list Shows the control can be verified
Incident reporting records Shows the control can be verified
Notification timeline criteria Shows the control can be verified
Guidance change communication records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Event records show receipt time, triage time, assessor, impact assessment, category, decision, and justification.
  • Classification criteria are documented and available to points of contact.
  • Major events are confirmed by the incident response role or team.
  • Triage targets align with breach notification and contractual timescales.
  • Changes to categorization guidance are communicated to points of contact.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Incident register exists but events are not recorded.
  • Tickets are closed without explaining why they were not incidents.
  • Triage depends on one person’s informal judgment.
  • No documented incident categories or impact criteria.
  • No evidence that notification timelines influence triage urgency.

Sample interview questions

  • How are reported events assessed before they become incidents?
  • Who can confirm the incident classification?
  • Show a record where an event was not classified as an incident and explain why.
  • What triage targets apply when notification deadlines may be involved?
  • How are points of contact informed when categorization guidance changes?

Common nonconformities

  • No distinction between event, weakness, and incident.
  • Every alert is treated as an incident, overwhelming responders.
  • Serious events are left in service desk queues without escalation.
  • Classification decisions are not recorded.
  • Triage categories are too vague to drive action.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 25

Note Metadata

Aliases: A.5.25 Evidence

Source: 04 Audit Evidence Packs/A.5.25 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.