What the auditor wants to verify
Audit objective
Verify that privileged access is restricted, justified, approved, separately identifiable, logged, reviewed, and removed when no longer needed.
Evidence to request
| Evidence | Purpose |
|---|---|
| Privileged access policy/procedure | Shows rules are defined |
| Privileged access register | Shows privileged accounts/roles are known |
| Approval records | Shows business justification |
| Separate admin account records | Shows admin activity is distinct |
| Privileged activity logs | Shows use is traceable |
| Log review records | Shows monitoring occurs |
| Emergency access records | Shows break-glass access is controlled |
| Access review/removal records | Shows privilege is maintained and removed |
Strong evidence
- Privileges are approved based on need-to-use.
- Separate named admin IDs exist where feasible.
- Privileged activity is logged and reviewed.
- Logs are protected and retained.
- Emergency access is time-bound and post-reviewed.
- Privilege is removed promptly when no longer needed.
Weak evidence
- Admin rights are default.
- Shared admin accounts are used.
- Privileged logs are missing or modifiable.
- Emergency access is informal.
- Access reviews do not remove stale privilege.
Sample interview questions
- Why do you need privileged access?
- When did you last use it?
- Do you use a separate admin ID?
- Who reviews privileged activity logs?
- What happens during emergency access?
Common nonconformities
- Privileged access not justified.
- No privileged access register.
- Shared privileged accounts.
- No privileged activity logging.
- Emergency privilege not reviewed.
- Privilege not removed after role change.
Related notes
- Audit
- Evidence
- A8 2
- Iso27001
Note Metadata
Aliases: A.8.2 Evidence
Source: 04 Audit Evidence Packs/A.8.2 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.2 - Privileged Access Rights
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.2 Privileged Access Rights
- A.8.2 Audit Checklist
- Emergency Privileged Access Record
- Privileged Access Register
- Privileged Access Review Checklist
- Privileged Activity Log Review Checklist
- Audit Evidence Index