UnixTime

Research Note

A.5.5 Audit Evidence Pack

The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact details, and controlled information shared with authorities.

Evidence to request

Evidence Purpose
Authority contact register Shows relevant authorities are identified and maintained
Legal and regulatory obligation register Shows contact needs are based on actual obligations
Incident response plan Shows authority contact is part of response workflow
Business continuity or contingency plans Shows authority contact during disruption scenarios
Liaison role description Shows responsibility is assigned
Communication approval procedure Shows external disclosure is authorized
Breach notification procedure Shows mandatory reporting triggers are defined
Contact review records Shows details are kept current
Tabletop exercise records Shows contact routes are tested
Actual authority communications Shows the process works in real events

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Register includes purpose, trigger, owner, backup, contact method, approval path, and review date.
  • Authority contacts are tied to legal, regulatory, operational, or incident-response requirements.
  • Incident playbooks include authority notification decision points.
  • Contact details are periodically reviewed and tested.
  • Liaison personnel can explain when and how contact is initiated.
  • Information shared with authorities is reviewed and authorized.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Static phone list with no owner or review date.
  • No backup liaison.
  • Contact details kept only by one individual.
  • No clear trigger for contacting authorities.
  • No procedure controlling what information may be shared.
  • Incident responders do not know who is authorized to contact authorities.

Sample interview questions

Ask the liaison or security lead

  • Which authorities are relevant to the organization?
  • What triggers contact with each authority?
  • Who is authorized to contact them?
  • How do you verify contact details are current?
  • What information can be shared without further approval?
  • How are authority communications recorded?
  • Which regulatory reporting obligations apply?
  • How are breach notification thresholds assessed?
  • Who approves external notification content?
  • How do you ensure notifications are timely?

Ask incident responders

  • Where do you find authority contact details during an incident?
  • When would you escalate to the liaison?
  • Have authority contacts been tested in an exercise?

Common nonconformities

  • Relevant authorities not identified.
  • Contact list not maintained.
  • No authorized liaison or backup.
  • No link between authority contact and incident response.
  • Mandatory reporting triggers unclear.
  • External information sharing not approved or recorded.
  • Contact details cannot be validated.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 5

Note Metadata

Aliases: A.5.5 Evidence

Source: 04 Audit Evidence Packs/A.5.5 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.