UnixTime

Research Note

A.5.30 Audit Evidence Pack

The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

Evidence to request

Evidence Purpose
Business impact analysis Shows the control can be verified
ICT continuity requirements Shows the control can be verified
RTO/RPO register Shows the control can be verified
Recovery playbooks Shows the control can be verified
Backup and restore test records Shows the control can be verified
Supplier ICT continuity review records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • BIA or continuity analysis identifies priority ICT services and recovery sequence.
  • RTO, RPO, and service restoration expectations are documented and approved.
  • Recovery playbooks are available to responders and usable under stress.
  • ICT continuity tests cover important systems and likely failure modes.
  • Test findings and real continuity events lead to improvements.
  • Supplier ICT continuity arrangements are reviewed or tested where dependency is significant.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • RTO/RPO values exist but are not tied to business priorities.
  • Recovery plans are outdated or unavailable to responders.
  • Backups exist but restoration has not been tested.
  • Testing covers only easy scenarios.
  • IT and business stakeholders disagree on restoration priorities.
  • Supplier resilience is assumed from contract wording.

Sample interview questions

  • Which ICT services are most critical and why?
  • What RTO and RPO apply to this service?
  • How do IT recovery priorities match business priorities?
  • Show a recent restore or continuity test record.
  • How are supplier ICT continuity dependencies reviewed or tested?

Common nonconformities

  • Continuity requirements are not based on business impact
  • Backups are treated as the whole continuity plan
  • RTO and RPO are unrealistic
  • Supplier continuity is not tested or reviewed
  • Test findings are not tracked to closure
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 30

Note Metadata

Aliases: A.5.30 Evidence

Source: 04 Audit Evidence Packs/A.5.30 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.