UnixTime

Research Note

A.5.28 Audit Evidence Pack

The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information securi...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information security events.

Evidence to request

Evidence Purpose
Evidence collection procedure Shows the control can be verified
Chain-of-custody records Shows the control can be verified
Evidence storage access records Shows the control can be verified
Forensic image records Shows the control can be verified
Evidence transfer records Shows the control can be verified
Retention/disposal records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Evidence procedure covers identification, collection, acquisition, preservation, storage, access, transfer, and disposal.
  • Chain-of-custody logs are complete and timestamped.
  • Evidence storage is access-controlled and tamper-resistant.
  • Forensic copies are used where original evidence must be preserved.
  • Evidence collection starts early enough to avoid contamination or destruction.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Screenshots or logs are saved without custody records.
  • Evidence is stored in shared folders with broad access.
  • Original systems are modified before evidence is captured.
  • No trigger criteria for evidence collection.
  • No record of who handled evidence.

Sample interview questions

  • When is evidence collection activated?
  • How do responders preserve original evidence?
  • Show a chain-of-custody record.
  • Who can access stored evidence?
  • How do you prove evidence was not modified or destroyed without authorization?

Common nonconformities

  • Evidence collection begins too late.
  • Responders overwrite logs during recovery.
  • No chain of custody.
  • Evidence access is not restricted.
  • Forensic work is performed on originals instead of copies.
  • Procedures ignore jurisdictional or legal admissibility requirements.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 28

Note Metadata

Aliases: A.5.28 Evidence

Source: 04 Audit Evidence Packs/A.5.28 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.