UnixTime

Research Note

A.6.7 Audit Evidence Pack

The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.

On this page

What the auditor wants to verify

Audit objective

Verify that remote working is authorized, risk-assessed, controlled, and reviewed for people, locations, activities, data, equipment, and connections.

The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.

Evidence to request

Evidence Purpose
Remote working policy Shows remote work rules are documented
Remote working authorization register Shows approved users, activities, locations, data, and controls
Remote working risk assessment Shows remote risks were assessed
Asset register entries Shows remote equipment is tracked
Secure connection configuration Shows remote links are protected
MFA/access control records Shows remote access is restricted
Endpoint security records Shows remote devices are protected
Non-work use rules Shows personal-use risks are managed
Training/awareness records Shows users know remote work duties
Control verification records Shows controls were checked before authorization

Strong evidence

Strong evidence test

Prefer sampled records that connect authorized person, location, activity, data, device, required controls, and verification.

  • Remote workers, activities, locations, and data access are authorized.
  • Remote access is limited to required information.
  • Devices are managed, encrypted, patched, and inventoried.
  • Secure access methods and MFA are enforced.
  • Physical security expectations are defined for home and public locations.
  • Non-work use rules are documented.
  • Control verification exists before or during authorization.
  • Remote work risks are reviewed when conditions change.

Weak evidence

Weak evidence warning

Weak evidence proves remote access exists, not that remote working is controlled.

  • VPN exists but no authorization register.
  • No record of allowed locations, activities, or data.
  • Personal devices are used without documented controls.
  • Remote equipment missing from the asset register.
  • No public-location rules.
  • No non-work use policy.
  • No verification that required controls are in place.

Sample interview questions

Ask remote workers

  • What information are you allowed to access remotely?
  • Can you work from public locations?
  • What do you do with printed confidential information at home?
  • Can family members or visitors use your work device?

Ask IT or security

  • How is remote access secured and monitored?
  • Are remote devices encrypted, patched, and inventoried?
  • How do you restrict remote access to required information?

Ask managers

  • How do you authorize remote work?
  • How do you verify required controls are in place?

Common nonconformities

  • Remote work allowed without documented authorization.
  • Remote devices not in asset inventory.
  • No remote working risk assessment.
  • No restrictions on data, location, or activity.
  • Personal use or family use not controlled.
  • Secure connection exists but endpoint and physical controls are ignored.
  • Controls not verified before authorization.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A6 7

Note Metadata

Aliases: A.6.7 Evidence

Source: 04 Audit Evidence Packs/A.6.7 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.