UnixTime

Research Note

A.5.9 Audit Evidence Pack

The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, a...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, and disposal activities.

Evidence to request

Evidence Purpose
Information asset inventory Shows information assets are identified
Physical/virtual asset inventory or CMDB Shows associated technical assets are tracked
Asset ownership records Shows accountable owners are assigned
Custodian assignments Shows day-to-day responsibilities are delegated where needed
Classification records Shows protection expectations are defined
Risk assessment records Shows owners contribute to risk decisions
Backup and recovery records Shows resilience arrangements are recorded
Software/license inventory Shows software and license tracking
Disposal records Shows end-of-life handling is controlled
Change and project records Shows inventory updates are triggered by change
Annual stock check or reconciliation records Shows inventory accuracy is tested
Inventory access control and backup records Shows the inventory itself is protected

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Inventory covers information, hardware, software, virtual assets, services, processes, documents, and media relevant to the ISMS.
  • Important assets have owners and custodians where appropriate.
  • Business value, classification, location, retention, backup, recovery, and special requirements are recorded.
  • Project, procurement, change, and disposal processes update the inventory.
  • Owners can explain their responsibilities.
  • Disposals record when, how, and to whom assets were disposed.
  • Inventory accuracy is periodically checked.
  • Inventory access is restricted and backed up.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Inventory only covers finance/accounting equipment.
  • Information assets are missing.
  • Owners are blank, generic, or all assigned to IT.
  • No classification or business value.
  • Inventory not updated after projects or changes.
  • No disposal records.
  • Software, cloud services, and paper records are excluded.
  • Inventory stored as an uncontrolled spreadsheet.

Sample interview questions

Ask the inventory owner

  • What asset types are included in the inventory?
  • How do new assets enter the inventory?
  • How are disposals recorded?
  • How often is inventory accuracy checked?
  • How is the inventory protected?

Ask asset owners

  • Which assets do you own?
  • What classification applies to your assets?
  • What backup and recovery arrangements apply?
  • How do you verify custodians are protecting the asset?
  • How do you participate in risk assessments?

Ask custodians or IT operations

  • Which assets do you operate on behalf of owners?
  • How are changes reflected in the inventory?
  • How are retired assets removed or marked disposed?
  • How do you handle virtual or cloud assets?

Common nonconformities

  • No maintained information asset inventory.
  • Important assets lack owners.
  • Owners do not understand ownership responsibilities.
  • Inventory excludes paper, software, cloud, virtual, or service assets.
  • Classification not recorded.
  • Disposals not recorded.
  • Inventory is not updated through project/change management.
  • Inventory itself is not protected.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 9

Note Metadata

Aliases: A.5.9 Evidence

Source: 04 Audit Evidence Packs/A.5.9 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.