What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findings reported and corrected.
Evidence to request
| Evidence | Purpose |
|---|---|
| Independent review schedule | Shows the control can be verified |
| Review scope and criteria | Shows the control can be verified |
| Reviewer independence evidence | Shows the control can be verified |
| Independent review reports | Shows the control can be verified |
| Corrective action records | Shows the control can be verified |
| Management reporting records | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Independent review schedule defines scope, frequency, reviewer independence, criteria, and reporting route.
- Review records cover people, processes, technologies, ISMS approach, and implementation evidence.
- Supplementary review triggers are linked to change and incident management processes.
- Reviewer independence is documented and appropriate for the scope.
- Findings are tracked to corrective actions, owners, due dates, closure evidence, and effectiveness checks.
- Results are reported to management and considered in management review.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Security team reviews its own implementation without independence.
- Reviews happen only before certification audit.
- Major changes occur without supplementary review.
- Findings are recorded but not tracked to closure.
- Corrective actions are closed without effectiveness evidence.
- Management does not receive or act on review results.
Sample interview questions
- Who independently reviews the information security approach and implementation?
- How is independence confirmed for internal reviewers?
- What triggers a supplementary review?
- Show the latest independent review report and corrective actions.
- How were review results reported to management?
Common nonconformities
- Reviewers lack independence
- Review triggers are undefined
- Reviews focus only on documents
- Findings are not tracked to corrective action
- Results are not reported to management
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 35
Note Metadata
Aliases: A.5.35 Evidence
Source: 04 Audit Evidence Packs/A.5.35 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.35 - Independent Review of Information Security
- Audit Evidence MOC
- AQ-ISO27001-A.5.35 Independent Review of Information Security
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.35 Independent Review of Information Security
- A.5.35 Audit Checklist
- Independent Information Security Review Plan and Report
- Audit Evidence Index