What the auditor wants to verify
Audit objective
Verify that security mechanisms, service levels, and service requirements for network services are identified, implemented, and monitored.
Evidence to request
| Evidence | Purpose |
|---|---|
| Network service register | Shows services, owners, and dependencies |
| Risk assessment | Shows required features are justified |
| Provider SLA/service description | Shows service levels and security features |
| Security requirement mapping | Shows CIA requirements are covered |
| Provider review records | Shows service delivery is monitored |
| Failover/resilience evidence | Shows availability features are understood |
| Exception/risk acceptance records | Shows provider gaps are managed |
Strong evidence
- Network services have owners and risk assessments.
- Required security mechanisms are documented.
- Agreements include security features and service levels.
- Provider reports are reviewed.
- Failover and recovery arrangements are understood.
- Provider limitations have compensating controls or risk acceptance.
Weak evidence
- Network services are known only through invoices.
- Security features are assumed from provider reputation.
- SLA covers uptime only.
- Provider reports are not reviewed.
- Standard service limitations are ignored.
Sample interview questions
- Which network services are supplier-provided?
- What security features are required for each service?
- How are service levels monitored?
- What happens during provider failover or recovery?
- Which provider limitations require compensating controls?
Common nonconformities
- No inventory of network services.
- Requirements are not based on risk.
- Agreements omit security mechanisms.
- Provider delivery is not monitored.
- Failover provisions are not verified.
Related notes
- Audit
- Evidence
- A8 21
- Iso27001
Note Metadata
Aliases: A.8.21 Evidence
Source: 04 Audit Evidence Packs/A.8.21 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.21 - Security of Network Services
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.21 Security of Network Services
- A.8.21 Audit Checklist
- Network Service Provider Review Checklist
- Network Service Security Requirements Register
- Network Service SLA and Security Feature Review
- Audit Evidence Index