UnixTime

Research Note

A.6.2 Audit Evidence Pack

The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in sc...

On this page

What the auditor wants to verify

Audit objective

Verify that employment and contractual agreements state information security responsibilities for personnel and the organization before work or access begins.

The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in scope.

Evidence to request

Evidence Purpose
Employment contract security clauses Shows employee security responsibilities are formally stated
Contractor or third-party agreement clauses Shows non-employee responsibilities are formally stated
Confidentiality agreements Shows confidentiality obligations were accepted before access
Security responsibility addendum Shows role-specific duties are documented
Onboarding acknowledgement records Shows personnel accepted terms before starting work
Role-change checklist Shows terms are updated when responsibilities change
Personnel data protection notice Shows the organization’s data handling responsibilities are stated
Disciplinary or non-compliance procedure Shows consequences are defined
Remote work or customer-site terms Shows duties apply outside normal work location where relevant

Strong evidence

Strong evidence test

Strong evidence proves timing, scope, signature or acknowledgement, role relevance, and update control.

  • Agreements are signed before work starts or before confidential access.
  • Agreements cover employees, contractors, and third-party users in ISMS scope.
  • Terms include confidentiality, acceptable use, classification handling, legal duties, incident reporting, and non-compliance consequences.
  • Remote work, customer-site work, and outside-hours responsibilities are covered where relevant.
  • Post-employment obligations are stated where legally permitted.
  • Role changes trigger updated responsibility acknowledgement.
  • Organization responsibilities for personnel personal data are clearly stated.

Weak evidence

Weak evidence warning

Weak evidence usually proves that a contract exists, not that security responsibilities were properly agreed.

  • Generic contract with only vague confidentiality language.
  • Terms signed after work or access begins.
  • Contractor access without signed security terms.
  • No process to update terms after role or access changes.
  • No evidence that personnel acknowledged the security policy.
  • No statement of organization responsibilities for personnel data.

Sample interview questions

  • Which security responsibilities are included in employment terms?
  • Are confidentiality agreements signed before access to confidential information?
  • How do terms address remote work, customer sites, and post-employment obligations?
  • How are terms updated when roles change?
  • How are personnel personal data responsibilities communicated?

Ask procurement or vendor management

  • How are contractor and third-party user security responsibilities documented?
  • Are non-employees required to sign confidentiality obligations before access?

Ask personnel or managers

  • What security responsibilities did you accept during onboarding?
  • What happens if security responsibilities are not followed?
  • Were your responsibilities updated when your role changed?

Common nonconformities

  • Security responsibilities not stated in employment or contractual agreements.
  • Confidentiality agreement missing or signed late.
  • Contractors and third-party users omitted.
  • Terms do not cover legal, classification, remote-work, or customer-site responsibilities.
  • No process to update terms when responsibilities change.
  • Organization responsibilities for personnel data not stated.
  • Consequences of non-compliance unclear.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A6 2

Note Metadata

Aliases: A.6.2 Evidence

Source: 04 Audit Evidence Packs/A.6.2 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.