UnixTime

Research Note

A.8.12 Audit Evidence Pack

- DLP scope maps to sensitive/classified information. - Approved data flows and channels are defined. - DLP rules are tuned to the organization’s risk and data types. - Alerts a...

On this page

What the auditor wants to verify

Audit objective

Verify that DLP measures are applied to systems, networks, and devices that process, store, or transmit sensitive information.

Evidence to request

Evidence Purpose
Sensitive data inventory Shows DLP scope is known
Approved data flow register Shows legitimate flows are defined
DLP policy/rule configuration Shows controls match priorities
DLP alert records Shows events are detected
False-positive review records Shows tuning and triage
Transfer approval records Shows sensitive transfers are authorized
User awareness records Shows users know transfer rules
Leakage incident records Shows events are escalated and handled

Strong evidence

  • DLP scope maps to sensitive/classified information.
  • Approved data flows and channels are defined.
  • DLP rules are tuned to the organization’s risk and data types.
  • Alerts are reviewed, prioritized, tuned, and closed.
  • Sensitive transfers have approval records.
  • Users can explain approved sharing methods and reporting steps.

Weak evidence

  • DLP tool exists but rules are generic.
  • No approved data flow map exists.
  • Alerts are ignored due to false positives.
  • Sensitive transfers happen through informal channels.
  • Exceptions are unmanaged.

Sample interview questions

  • What sensitive information is protected by DLP?
  • Which channels are approved for sensitive transfer?
  • What do you do if you need to send sensitive information externally?
  • What happens when a DLP alert is triggered?
  • How are false positives handled?

Common nonconformities

  • DLP scope not linked to sensitive information.
  • No approved data flow register.
  • DLP alerts not reviewed.
  • Users unaware of approved transfer methods.
  • Business flows use unencrypted or unapproved channels.
  • Audit
  • Evidence
  • A8 12
  • Iso27001

Note Metadata

Aliases: A.8.12 Evidence

Source: 04 Audit Evidence Packs/A.8.12 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.