UnixTime

Research Note

A.6.4 Audit Evidence Pack

The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.

On this page

What the auditor wants to verify

Audit objective

Verify that disciplinary action for information security policy violations is formalized, communicated, evidence-based, proportionate, and consistently followed.

The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.

Evidence to request

Evidence Purpose
Disciplinary process Shows formal process exists
Security policy compliance clause Shows control breaches are policy breaches
Awareness/onboarding records Shows the process and consequences were communicated
Disciplinary criteria Shows action triggers and severity considerations
Incident and policy violation records Shows potential triggers are identified
Case files or action records Shows process operation
Evidence review records Shows action was based on sufficient evidence
Closure and follow-up records Shows actions were completed
Contractor or third-party breach procedure Shows non-employee violations have a route

Strong evidence

Strong evidence test

Prefer sampled records that show trigger, evidence, decision, proportionality, outcome, and closure.

  • Process is documented, approved, and communicated.
  • Criteria define when disciplinary action is considered.
  • Cases start only after sufficient evidence of violation.
  • Outcomes are proportionate to intent, impact, role, and history.
  • Similar cases are handled consistently.
  • Follow-up action is tracked to closure.
  • Third-party violations are handled through contract, procurement, or vendor-management routes.

Weak evidence

Weak evidence warning

Weak evidence usually proves HR has a process, not that security policy violations are handled properly.

  • Generic HR procedure with no security-policy link.
  • Informal manager action without records.
  • Incident criteria met but no disciplinary review occurred.
  • Action taken without evidence threshold.
  • No closure record.
  • Contractors or third parties excluded.
  • Personnel are unaware of consequences.

Sample interview questions

  • How does the disciplinary process handle information security policy violations?
  • What evidence is required before the process starts?
  • How is proportionality determined?
  • How are similar cases handled consistently?

Ask security or managers

  • When does a security incident trigger disciplinary review?
  • How do you preserve evidence before referring a case?
  • How are follow-up actions tracked?

Ask personnel

  • Are you aware that information security policy violations can lead to action?
  • Where is the process or consequence explained?

Common nonconformities

  • No formal disciplinary process for security violations.
  • Process not communicated to personnel.
  • No evidence threshold before action.
  • Inconsistent treatment of similar cases.
  • Criteria met but process not initiated.
  • Follow-up actions not completed.
  • Third-party violations not covered.