What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.
Evidence to request
| Evidence | Purpose |
|---|---|
| Management responsibility statements | Shows formal management duties |
| Meeting agendas/minutes | Shows security discussed in routine management |
| Management communications | Shows security expectations communicated |
| Training completion reports | Shows managers ensure personnel complete training |
| Escalation records for non-completion | Shows management follow-up |
| Phishing simulation results and follow-up | Shows awareness remediation |
| Access review sign-offs | Shows managers verify controls |
| Corrective action records | Shows non-compliance addressed |
| HR/remedial training records | Shows proportionate response |
| Performance objectives | Shows security included in management expectations |
| Incident reporting records | Shows managers support escalation |
| Staff interview evidence | Shows management messages are understood |
| Exception approval records | Shows managers do not allow informal bypasses |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Managers can explain their security duties.
- Security appears in recurring team or management meetings.
- Managers track and follow up on training.
- Non-compliance leads to coaching, training, or corrective action.
- Senior staff follow the same rules as everyone else.
- Employees say management treats security seriously.
- Security reporting is encouraged and not punished.
- Managers verify access and policy compliance.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Managers say security is the security team’s job.
- No security discussion in management routines.
- Training non-completion not followed up.
- Executives bypass security controls.
- Violations are ignored.
- Employees fear reporting incidents.
- Management pressures staff to bypass controls.
- No evidence managers enforce policies.
Sample interview questions
Ask managers
- What are your information security responsibilities?
- How do you ensure your team follows policies?
- How do you know your team completed training?
- What do you do if someone violates a procedure?
- How do you communicate security expectations?
- How do you handle reported incidents or weaknesses?
- Are security objectives included in performance expectations?
Ask employees
- Does your manager discuss security expectations?
- What happens if someone violates a security procedure?
- Are you encouraged to report incidents?
- Do senior people follow the same security rules?
- Do you feel security is treated as part of your job?
Ask security leadership
- How do you ensure managers understand their responsibilities?
- How do you track manager follow-up?
- How are repeated non-compliances escalated?
- How do managers contribute to security culture?
Common nonconformities
- Managers unaware of security responsibilities.
- Security not reinforced in daily work.
- No follow-up on training or non-compliance.
- Senior leaders have informal exceptions.
- Managers encourage control bypassing for speed.
- Security treated as IT-only.
- No evidence managers support security culture.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 4
Note Metadata
Aliases: A.5.4 Evidence
Source: 04 Audit Evidence Packs/A.5.4 Audit Evidence Pack.md