UnixTime

Research Note

A.5.27 Audit Evidence Pack

The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.

Evidence to request

Evidence Purpose
Post-incident review records Shows the control can be verified
Lessons learned register Shows the control can be verified
Corrective action tracker Shows the control can be verified
Updated procedures or controls Shows the control can be verified
Training updates Shows the control can be verified
Management review inputs Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Post-incident review records identify root causes and control failures.
  • Corrective actions are tracked to closure with evidence.
  • Lessons update procedures, controls, risk assessments, training, or supplier controls.
  • Anonymized examples are used in awareness where appropriate.
  • Incident trends are reported to management review.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Lessons learned meeting held but no actions recorded.
  • Corrective actions closed without evidence.
  • Training uses generic examples unrelated to actual incidents.
  • No link to risk assessment or control improvement.
  • The organization claims no incidents but has no event reporting evidence.

Sample interview questions

  • Show a post-incident review and the actions created from it.
  • How did the incident change controls, procedures, training, or risk treatment?
  • How are recurring minor incidents reviewed?
  • How are lessons reported to management review?
  • What evidence proves corrective actions were completed?

Common nonconformities

  • Post-incident reviews are skipped after service restoration.
  • Root cause stops at human error.
  • Actions are not owned or tracked.
  • The same incident repeats with no control change.
  • Management never sees incident trends.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 27

Note Metadata

Aliases: A.5.27 Evidence

Source: 04 Audit Evidence Packs/A.5.27 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.