What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and systems.
Evidence to request
| Evidence | Purpose |
|---|---|
| PII inventory | Shows the control can be verified |
| Privacy requirements matrix | Shows the control can be verified |
| Privacy/PII policy and procedures | Shows the control can be verified |
| Role-specific privacy training records | Shows the control can be verified |
| PII access review records | Shows the control can be verified |
| PII transfer/supplier records | Shows the control can be verified |
| Breach notification procedure | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions.
- Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence.
- Senior privacy accountability and operational responsibilities are assigned and understood.
- Staff handling PII receive role-specific training and can explain responsibilities.
- Access to PII is role-based, reviewed, and limited to job need.
- Annual PII review verifies holdings, purpose, retention, access, transfers, and compliance with current requirements.
- Breach notification obligations and procedures are documented and tested or exercised where appropriate.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- PII is discussed generally but no inventory exists.
- The organization knows main customer databases but ignores spreadsheets, exports, logs, support tickets, backups, or supplier platforms.
- Privacy policy exists but does not map to laws, contracts, systems, or controls.
- Access to PII is broad or not reviewed.
- Staff handling PII receive only generic security awareness.
- New PII use cases are launched without approval or inventory updates.
- Breach notification requirements are unclear.
Sample interview questions
- Where is PII stored, processed, transmitted, and shared?
- What laws, regulations, or contracts drive PII protection requirements?
- Who is accountable for PII compliance?
- Show a role with PII access and why access is needed.
- How are new PII uses approved and added to the inventory?
- What breach notification requirements apply?
Common nonconformities
- PII inventory is incomplete
- Purpose and retention are not justified
- Access to PII is excessive
- PII transfers are not tracked
- Privacy requirement changes are not monitored
- Breach notification obligations are unclear
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 34
Note Metadata
Aliases: A.5.34 Evidence
Source: 04 Audit Evidence Packs/A.5.34 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.