UnixTime

Research Note

A.5.35 Audit Evidence Pack

The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findin...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findings reported and corrected.

Evidence to request

Evidence Purpose
Independent review schedule Shows the control can be verified
Review scope and criteria Shows the control can be verified
Reviewer independence evidence Shows the control can be verified
Independent review reports Shows the control can be verified
Corrective action records Shows the control can be verified
Management reporting records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Independent review schedule defines scope, frequency, reviewer independence, criteria, and reporting route.
  • Review records cover people, processes, technologies, ISMS approach, and implementation evidence.
  • Supplementary review triggers are linked to change and incident management processes.
  • Reviewer independence is documented and appropriate for the scope.
  • Findings are tracked to corrective actions, owners, due dates, closure evidence, and effectiveness checks.
  • Results are reported to management and considered in management review.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Security team reviews its own implementation without independence.
  • Reviews happen only before certification audit.
  • Major changes occur without supplementary review.
  • Findings are recorded but not tracked to closure.
  • Corrective actions are closed without effectiveness evidence.
  • Management does not receive or act on review results.

Sample interview questions

  • Who independently reviews the information security approach and implementation?
  • How is independence confirmed for internal reviewers?
  • What triggers a supplementary review?
  • Show the latest independent review report and corrective actions.
  • How were review results reported to management?

Common nonconformities

  • Reviewers lack independence
  • Review triggers are undefined
  • Reviews focus only on documents
  • Findings are not tracked to corrective action
  • Results are not reported to management
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 35

Note Metadata

Aliases: A.5.35 Evidence

Source: 04 Audit Evidence Packs/A.5.35 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.