UnixTime

Research Note

A.5.29 Audit Evidence Pack

The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requ...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requirements, supplier considerations, and testing.

Evidence to request

Evidence Purpose
Information security continuity objectives Shows the control can be verified
Business continuity or crisis plan Shows the control can be verified
Business impact analysis with security requirements Shows the control can be verified
Continuity risk assessment Shows the control can be verified
Continuity exercise records Shows the control can be verified
Supplier continuity/security review records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Documented information security continuity objectives are approved by management.
  • Business impact analysis includes security requirements, not only recovery timing.
  • Continuity and disaster recovery plans include access control, communications, supplier, data protection, and emergency change controls.
  • Security and continuity specialists both contributed to plan design or review.
  • Continuity exercises include information security scenarios and responsibilities.
  • Supplier continuity arrangements are reviewed for security adequacy.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Continuity plan focuses only on restoring operations.
  • Security is assumed to continue but not specified.
  • Emergency access is allowed without approval, logging, or review.
  • Supplier continuity plans are accepted without checking security requirements.
  • Staff with crisis roles cannot explain security responsibilities.
  • Continuity testing ignores security decisions.

Sample interview questions

  • What security objectives apply during disruption?
  • Where are security requirements captured in business continuity planning?
  • Who owns security decisions during crisis response?
  • How are supplier continuity arrangements checked for security adequacy?
  • Show a continuity test where information security responsibilities were exercised.

Common nonconformities

  • Business continuity plans restore service but weaken access control
  • Emergency workarounds are undocumented
  • Security team is not involved in continuity planning
  • Supplier continuity arrangements are not reviewed
  • Plans are untested
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 29

Note Metadata

Aliases: A.5.29 Evidence

Source: 04 Audit Evidence Packs/A.5.29 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.