UnixTime

Research Note

A.5.31 Audit Evidence Pack

The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and mapped to implemented controls.

Evidence to request

Evidence Purpose
Legal and contractual requirements register Shows the control can be verified
Requirement owner assignments Shows the control can be verified
Control/evidence mapping Shows the control can be verified
Legal or specialist advice records Shows the control can be verified
Crypto/legal assessment records Shows the control can be verified
Requirement change records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • A current requirements register identifies legal, statutory, regulatory, and contractual information security obligations.
  • Each requirement has an owner, review date, jurisdiction or source, applicable scope, control mapping, and evidence location.
  • Changes in laws, regulations, or contracts are tracked through change control and update affected controls.
  • Cryptography, digital signatures, electronic communication, and cross-border obligations are assessed where relevant.
  • Legal or specialist advice is retained for complex jurisdictions or regulated business activities.
  • Responsible personnel can explain their obligations and evidence.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • A generic compliance list exists but is not mapped to controls or evidence.
  • Contracts are stored but information security obligations are not extracted.
  • No owner is responsible for keeping requirements current.
  • Cryptographic legal requirements are assumed rather than assessed.
  • Requirement changes do not trigger policy, control, or evidence updates.
  • International or online business obligations are ignored.

Sample interview questions

  • How do you identify applicable legal, regulatory, statutory, and contractual requirements?
  • Who owns keeping the requirements register current?
  • Show how a requirement maps to a control and evidence.
  • How are requirement changes tracked into control changes?
  • How have cryptographic legal requirements been assessed for relevant jurisdictions?

Common nonconformities

  • Requirements register is incomplete or stale
  • Contractual security obligations are not extracted from contracts
  • Legal changes are not tied to change control
  • Cryptography rules are not assessed by jurisdiction
  • No owner is assigned for requirement monitoring
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 31

Note Metadata

Aliases: A.5.31 Evidence

Source: 04 Audit Evidence Packs/A.5.31 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.