UnixTime

Research Note

A.6.1 Audit Evidence Pack

The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.

On this page

What the auditor wants to verify

Audit objective

Verify that personnel screening is risk-based, lawful, completed before joining or sensitive access, and applied consistently to employees and non-employees in ISMS scope.

The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.

Evidence to request

Evidence Purpose
Screening policy or procedure Shows screening rules are documented
Role-based screening matrix Shows screening is proportional to role and access risk
Completed screening records Shows checks were performed for sampled personnel
Identity verification records Shows identity checks were completed
Qualification or certification verification Shows claims were independently validated where needed
Reference check records Shows independent verification activity occurred
Employment gap follow-up notes Shows irregularities were reviewed
Contractor and third-party onboarding records Shows non-employees are included
Access provisioning records Shows access was not granted before screening completion
Screening data retention and access rules Shows personal data is handled lawfully and securely

Strong evidence

Strong evidence test

Prefer sampled records with dates, owners, check results, follow-up notes, and access timing.

  • Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope.
  • The depth of screening is linked to role risk, information classification, and business need.
  • Checks were completed before start date or before sensitive access.
  • Candidate-provided documents were independently verified where permitted.
  • Exceptions, limitations, and follow-up actions were documented.
  • Screening data is access-controlled, retained for a defined period, and disposed of appropriately.

Weak evidence

Weak evidence warning

Weak evidence usually shows a hiring process exists but does not prove background verification was performed or controlled.

  • Candidate CVs are stored without verification evidence.
  • Screening records are missing for contractors or temporary staff.
  • Checks are completed after access is granted.
  • Screening depth is the same for every role with no risk basis.
  • Reference checks are verbal and undocumented.
  • Screening records are broadly accessible or retained indefinitely.

Sample interview questions

Ask HR or recruitment

  • Which roles require which screening checks?
  • How do you verify identity, qualifications, employment history, and references?
  • What happens when a previous employer only confirms dates and job title?
  • How are employment gaps or inconsistencies handled?
  • How do you protect screening records?

Ask hiring managers

  • How do you know required screening is complete before the person starts?
  • Do you request stronger screening for high-risk roles?
  • What happens when a person changes into a more sensitive role?

Ask IT or access administrators

  • Can access be provisioned before screening is complete?
  • How do you verify screening completion before granting privileged access?

Common nonconformities

  • No documented screening procedure.
  • Screening not completed before joining or access.
  • Contractors and third-party users excluded without justification.
  • No role-risk basis for screening depth.
  • Candidate-provided information accepted without verification.
  • Follow-up on irregularities not documented.
  • Screening records not handled according to privacy or data protection requirements.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A6 1

Note Metadata

Aliases: A.6.1 Evidence

Source: 04 Audit Evidence Packs/A.6.1 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.