UnixTime

Research Note

A.8.13 Audit Evidence Pack

- Backup scope maps to critical information, systems, and software. - Frequency aligns with risk and continuity requirements. - Restore tests are documented and successful. - Ba...

On this page

What the auditor wants to verify

Audit objective

Verify that backups of information, software, and systems are maintained, protected, and regularly tested according to backup policy and recovery needs.

Evidence to request

Evidence Purpose
Backup policy and schedule Shows rules and frequency are defined
Backup scope/register Shows critical assets are included
Backup job logs Shows backups run and failures are visible
Restore test records Shows recovery works
Backup encryption/access records Shows backup data is protected
Off-site/immutable storage evidence Shows backups can survive local incidents
Archive recovery evidence Shows long-term records remain readable
Corrective action records Shows backup failures are addressed

Strong evidence

  • Backup scope maps to critical information, systems, and software.
  • Frequency aligns with risk and continuity requirements.
  • Restore tests are documented and successful.
  • Backup failures are investigated.
  • Backup data is encrypted or access-controlled.
  • Long-term archives remain recoverable.

Weak evidence

  • Backup job success is shown but no restore testing exists.
  • Critical systems are missing from backup scope.
  • Backups are stored beside original systems.
  • Backups are not protected like original data.
  • Archive media/software/key dependencies are unknown.

Sample interview questions

  • What is included in backup scope?
  • How often are backups made?
  • How do you know restores work?
  • What happens if a backup job fails?
  • Where are backups stored and how are they protected?
  • How do you recover long-term archives?

Common nonconformities

  • No restore test evidence.
  • Backup scope incomplete.
  • Backup failures not acted on.
  • Backups not encrypted or access-controlled.
  • Long-term archives unreadable.
  • Backup arrangements do not match continuity requirements.
  • Audit
  • Evidence
  • A8 13
  • Iso27001

Note Metadata

Aliases: A.8.13 Evidence

Source: 04 Audit Evidence Packs/A.8.13 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.