UnixTime

Research Note

A.5.7 Audit Evidence Pack

The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement,...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement, incident readiness, and management awareness.

Evidence to request

Evidence Purpose
Threat intelligence procedure Shows the process is defined and repeatable
Threat source register Shows sources are identified and owned
Threat intelligence register or reports Shows information is analyzed
Risk register updates Shows intelligence influences risk decisions
Control tuning records Shows intelligence improves controls
Vulnerability prioritization records Shows threat context affects remediation
Incident response updates Shows intelligence improves preparedness
Management threat briefings Shows decision-makers receive relevant information
Validation or confidence criteria Shows quality is assessed
Research safety guidance Shows staff avoid legal, privacy, and leakage risks

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Threat intelligence process defines sources, triage, analysis, validation, ownership, and escalation.
  • Intelligence is linked to assets, risks, controls, and business context.
  • Recent intelligence led to a documented risk decision, control change, or management briefing.
  • Staff assess confidence and relevance before action.
  • Threat research guidance prevents sensitive data leakage.
  • Intelligence feeds Risk Assessment, Statement of Applicability, and Management Review where relevant.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Threat feed exists but is not reviewed.
  • Newsletters are forwarded without analysis.
  • No link between intelligence and risk decisions.
  • Management receives raw technical noise or nothing.
  • No validation process.
  • Staff use public tools or AI prompts with sensitive internal information.
  • Intelligence is not current.

Sample interview questions

Ask security or risk staff

  • What threat sources do you use?
  • How do you decide whether a threat is relevant?
  • How do you validate confidence or reliability?
  • How does intelligence feed risk assessment?
  • What changed recently because of threat intelligence?
  • How do you avoid leaking sensitive information during research?

Ask management

  • Do you receive threat briefings?
  • How are significant threats translated into business impact?
  • When does threat intelligence trigger management action?

Ask control owners

  • Have threat updates changed your control operation?
  • How do you know whether a new threat affects your assets?

Common nonconformities

  • Confusing raw feeds with analyzed intelligence.
  • No organizational context applied.
  • No repeatable process.
  • No validation of sources or confidence.
  • No link to risk treatment or controls.
  • Unsafe research practices.
  • No evidence that intelligence reaches decision-makers.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 7

Note Metadata

Aliases: A.5.7 Evidence

Source: 04 Audit Evidence Packs/A.5.7 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.