What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information security events.
Evidence to request
| Evidence | Purpose |
|---|---|
| Evidence collection procedure | Shows the control can be verified |
| Chain-of-custody records | Shows the control can be verified |
| Evidence storage access records | Shows the control can be verified |
| Forensic image records | Shows the control can be verified |
| Evidence transfer records | Shows the control can be verified |
| Retention/disposal records | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Evidence procedure covers identification, collection, acquisition, preservation, storage, access, transfer, and disposal.
- Chain-of-custody logs are complete and timestamped.
- Evidence storage is access-controlled and tamper-resistant.
- Forensic copies are used where original evidence must be preserved.
- Evidence collection starts early enough to avoid contamination or destruction.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Screenshots or logs are saved without custody records.
- Evidence is stored in shared folders with broad access.
- Original systems are modified before evidence is captured.
- No trigger criteria for evidence collection.
- No record of who handled evidence.
Sample interview questions
- When is evidence collection activated?
- How do responders preserve original evidence?
- Show a chain-of-custody record.
- Who can access stored evidence?
- How do you prove evidence was not modified or destroyed without authorization?
Common nonconformities
- Evidence collection begins too late.
- Responders overwrite logs during recovery.
- No chain of custody.
- Evidence access is not restricted.
- Forensic work is performed on originals instead of copies.
- Procedures ignore jurisdictional or legal admissibility requirements.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 28
Note Metadata
Aliases: A.5.28 Evidence
Source: 04 Audit Evidence Packs/A.5.28 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.