What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.
Evidence to request
| Evidence | Purpose |
|---|---|
| Business impact analysis | Shows the control can be verified |
| ICT continuity requirements | Shows the control can be verified |
| RTO/RPO register | Shows the control can be verified |
| Recovery playbooks | Shows the control can be verified |
| Backup and restore test records | Shows the control can be verified |
| Supplier ICT continuity review records | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- BIA or continuity analysis identifies priority ICT services and recovery sequence.
- RTO, RPO, and service restoration expectations are documented and approved.
- Recovery playbooks are available to responders and usable under stress.
- ICT continuity tests cover important systems and likely failure modes.
- Test findings and real continuity events lead to improvements.
- Supplier ICT continuity arrangements are reviewed or tested where dependency is significant.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- RTO/RPO values exist but are not tied to business priorities.
- Recovery plans are outdated or unavailable to responders.
- Backups exist but restoration has not been tested.
- Testing covers only easy scenarios.
- IT and business stakeholders disagree on restoration priorities.
- Supplier resilience is assumed from contract wording.
Sample interview questions
- Which ICT services are most critical and why?
- What RTO and RPO apply to this service?
- How do IT recovery priorities match business priorities?
- Show a recent restore or continuity test record.
- How are supplier ICT continuity dependencies reviewed or tested?
Common nonconformities
- Continuity requirements are not based on business impact
- Backups are treated as the whole continuity plan
- RTO and RPO are unrealistic
- Supplier continuity is not tested or reviewed
- Test findings are not tracked to closure
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 30
Note Metadata
Aliases: A.5.30 Evidence
Source: 04 Audit Evidence Packs/A.5.30 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- Audit Evidence MOC
- AQ-ISO27001-A.5.30 ICT Readiness for Business Continuity
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.30 ICT Readiness for Business Continuity
- A.5.30 Audit Checklist
- ICT Continuity Requirements and Test Record
- Audit Evidence Index