What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.
Evidence to request
| Evidence | Purpose |
|---|---|
| Post-incident review records | Shows the control can be verified |
| Lessons learned register | Shows the control can be verified |
| Corrective action tracker | Shows the control can be verified |
| Updated procedures or controls | Shows the control can be verified |
| Training updates | Shows the control can be verified |
| Management review inputs | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Post-incident review records identify root causes and control failures.
- Corrective actions are tracked to closure with evidence.
- Lessons update procedures, controls, risk assessments, training, or supplier controls.
- Anonymized examples are used in awareness where appropriate.
- Incident trends are reported to management review.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Lessons learned meeting held but no actions recorded.
- Corrective actions closed without evidence.
- Training uses generic examples unrelated to actual incidents.
- No link to risk assessment or control improvement.
- The organization claims no incidents but has no event reporting evidence.
Sample interview questions
- Show a post-incident review and the actions created from it.
- How did the incident change controls, procedures, training, or risk treatment?
- How are recurring minor incidents reviewed?
- How are lessons reported to management review?
- What evidence proves corrective actions were completed?
Common nonconformities
- Post-incident reviews are skipped after service restoration.
- Root cause stops at human error.
- Actions are not owned or tracked.
- The same incident repeats with no control change.
- Management never sees incident trends.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 27
Note Metadata
Aliases: A.5.27 Evidence
Source: 04 Audit Evidence Packs/A.5.27 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- Audit Evidence MOC
- AQ-ISO27001-A.5.27 Learning from Information Security Incidents
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.27 Learning from Information Security Incidents
- A.5.27 Audit Checklist
- Incident Lessons Learned Register
- Audit Evidence Index