UnixTime

Research Note

A.6.3 Audit Evidence Pack

The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.

On this page

What the auditor wants to verify

Audit objective

Verify that people receive appropriate awareness, education, training, and updates for their role before they need to apply the requirement.

The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.

Evidence to request

Evidence Purpose
Awareness and training policy Shows training expectations are defined
Role-based training matrix Shows training is matched to job function
Training plan or calendar Shows training is planned and repeated
Induction records Shows baseline training was delivered before work/access
Specialist training records Shows higher-risk roles receive deeper training
Training content and version history Shows material is current and aligned to policies
Assessment or test results Shows understanding was checked
Contractor or third-party training records Shows non-employees are included where relevant
Trainer or supplier approval records Shows provider suitability was assessed
Effectiveness review records Shows the program is reviewed and improved
Incident or audit finding training updates Shows lessons learned feed awareness content

Strong evidence

Strong evidence test

Prefer sampled records that connect person, role, required training, completion date, content version, and result.

  • Training covers employees, contractors, third-party users, and relevant interested parties in scope.
  • Role-based matrix defines baseline and supplementary training.
  • Training is completed before access or before the relevant work is performed.
  • Content aligns with current policies, topic-specific policies, and procedures.
  • Individual records show completion, scope, date, provider, and assessment where applicable.
  • Effectiveness is measured using tests, feedback, exercises, incidents, and audit findings.
  • Training is refreshed after policy, threat, incident, system, or role changes.
  • Claimed prior experience or qualifications are verified where used in place of training.

Weak evidence

Weak evidence warning

Weak evidence proves activity happened, but not that people received suitable training for their responsibilities.

  • Generic annual training only.
  • Attendance list without content, version, date, or role mapping.
  • Contractors and third-party users omitted.
  • No specialist training for administrators, managers, or security-relevant roles.
  • Training delivered after access was granted.
  • No assessment or effectiveness review.
  • Outdated training material.
  • CV claims accepted as competence evidence without verification.

Sample interview questions

Ask personnel

  • What information security policy or procedure topics apply to your role?
  • How do you report a security incident or weakness?
  • What training did you receive before you started using the system or handling information?
  • What changed in your training after your role or access changed?

Ask HR or training owners

  • How do you decide which training each role requires?
  • How do you track induction, refresher, and specialist training?
  • How do contractors and third-party users receive training?
  • How is training material updated after policy changes, incidents, or emerging threats?

Ask managers or control owners

  • How do you know your team completed required training before access?
  • What specialist training is required for privileged or security-sensitive roles?
  • How do training metrics influence corrective actions or management review?

Common nonconformities

  • No role-based training matrix.
  • Training not completed before access or work begins.
  • Contractors and third-party users excluded without justification.
  • Training content not aligned to current policies and procedures.
  • No supplementary training for specialist roles.
  • No effectiveness metrics or review.
  • Training records incomplete or not individual-specific.
  • Equivalent experience accepted without verification.