What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with findings tracked to effective remediation.
Evidence to request
| Evidence | Purpose |
|---|---|
| Compliance review plan | Shows the control can be verified |
| Management review/spot-check records | Shows the control can be verified |
| Technical compliance check records | Shows the control can be verified |
| Testing authorization records | Shows the control can be verified |
| Tool control records | Shows the control can be verified |
| Finding/action/retest records | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Compliance review plan covers policies, rules, standards, management areas, technical systems, frequency, method, and owner.
- Management reviews or spot checks show policy compliance in each area of responsibility.
- Technical compliance checks cover relevant systems and are performed by competent authorized personnel.
- Testing tools are controlled, approved, and scoped to prevent misuse or accidental testing of wrong systems.
- Findings trace to root cause, corrective action, implementation evidence, and effectiveness verification.
- Patterns are reviewed to find similar issues elsewhere.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Compliance review is only an annual attestation.
- Technical checks are informal and not risk-based.
- Scanning or testing tools are available to unauthorized users.
- Findings are tracked in spreadsheets without closure evidence.
- Root cause is not analyzed and similar issues are not checked elsewhere.
- Managers cannot show how they review compliance in their own areas.
Sample interview questions
- How do managers review compliance in their areas?
- Which technical compliance checks are scheduled and why?
- Who is authorized to run technical tests or tools?
- Show a finding from review through corrective action and retest.
- How do you look for similar issues elsewhere?
Common nonconformities
- Managers do not review compliance in their areas
- Technical checks are not performed by competent authorized personnel
- Security testing tools are uncontrolled
- Findings are not traceable to action and retest
- Patterns are not analyzed
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 36
Note Metadata
Aliases: A.5.36 Evidence
Source: 04 Audit Evidence Packs/A.5.36 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- Audit Evidence MOC
- AQ-ISO27001-A.5.36 Compliance with Policies, Rules and Standards for Information Security
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.36 Compliance with Policies, Rules and Standards for Information Security
- A.5.36 Audit Checklist
- Policy and Technical Compliance Review Register
- Audit Evidence Index