What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that confirmed information security incidents are responded to according to documented procedures and that response decisions, actions, responsibilities, and follow-up are recorded.
Evidence to request
| Evidence | Purpose |
|---|---|
| Incident response procedure | Shows the control can be verified |
| Incident response records | Shows the control can be verified |
| Decision/action log | Shows the control can be verified |
| Containment and recovery records | Shows the control can be verified |
| Communication records | Shows the control can be verified |
| Evidence collection decision records | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Incident records map to documented procedure steps.
- Roles and responsibilities are visible in the response record.
- Containment, eradication, recovery, communication, and closure decisions are timestamped.
- Evidence collection decisions are made early and recorded.
- Management approval is present for high-impact decisions.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- A plan exists but incidents are handled entirely in chat.
- No timestamps or decision log.
- No evidence of containment or recovery validation.
- Responsibilities are unclear during response.
- Evidence needs are considered only after systems are changed.
Sample interview questions
- Show an incident record and the documented procedure it followed.
- Who owned containment, communication, recovery, and closure?
- When was the evidence-collection decision made?
- What management approvals were required?
- How were follow-up activities recorded?
Common nonconformities
- Procedures are too generic to guide real response.
- No nominated contact or reporting line.
- Response actions are not recorded.
- Legal/privacy/comms are involved too late.
- Teams destroy evidence while trying to restore service.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 26
Note Metadata
Aliases: A.5.26 Evidence
Source: 04 Audit Evidence Packs/A.5.26 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.26 - Response to Information Security Incidents
- Audit Evidence MOC
- AQ-ISO27001-A.5.26 Response to Information Security Incidents
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.26 Response to Information Security Incidents
- A.5.26 Audit Checklist
- Incident Response Record
- Audit Evidence Index