UnixTime

Research Note

A.8.21 Audit Evidence Pack

- Network services have owners and risk assessments. - Required security mechanisms are documented. - Agreements include security features and service levels. - Provider reports...

On this page

What the auditor wants to verify

Audit objective

Verify that security mechanisms, service levels, and service requirements for network services are identified, implemented, and monitored.

Evidence to request

Evidence Purpose
Network service register Shows services, owners, and dependencies
Risk assessment Shows required features are justified
Provider SLA/service description Shows service levels and security features
Security requirement mapping Shows CIA requirements are covered
Provider review records Shows service delivery is monitored
Failover/resilience evidence Shows availability features are understood
Exception/risk acceptance records Shows provider gaps are managed

Strong evidence

  • Network services have owners and risk assessments.
  • Required security mechanisms are documented.
  • Agreements include security features and service levels.
  • Provider reports are reviewed.
  • Failover and recovery arrangements are understood.
  • Provider limitations have compensating controls or risk acceptance.

Weak evidence

  • Network services are known only through invoices.
  • Security features are assumed from provider reputation.
  • SLA covers uptime only.
  • Provider reports are not reviewed.
  • Standard service limitations are ignored.

Sample interview questions

  • Which network services are supplier-provided?
  • What security features are required for each service?
  • How are service levels monitored?
  • What happens during provider failover or recovery?
  • Which provider limitations require compensating controls?

Common nonconformities

  • No inventory of network services.
  • Requirements are not based on risk.
  • Agreements omit security mechanisms.
  • Provider delivery is not monitored.
  • Failover provisions are not verified.
  • Audit
  • Evidence
  • A8 21
  • Iso27001

Note Metadata

Aliases: A.8.21 Evidence

Source: 04 Audit Evidence Packs/A.8.21 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.