UnixTime

Research Note

A.8.23 Audit Evidence Pack

- Categories are mapped to policy and risk. - Filtering covers remote users and relevant devices. - Exceptions have approval, owner, and review date. - Users cannot casually dis...

On this page

What the auditor wants to verify

Audit objective

Verify that access to external websites is managed to reduce exposure to malicious content.

Evidence to request

Evidence Purpose
Web filtering policy Shows intended rules
Category/rule configuration Shows enforcement
Coverage report Shows in-scope users/devices are protected
Exception register Shows exceptions are authorized
Alert logs Shows high-risk attempts are detected
Review records Shows filtering remains effective
Awareness evidence Shows users understand rules

Strong evidence

  • Categories are mapped to policy and risk.
  • Filtering covers remote users and relevant devices.
  • Exceptions have approval, owner, and review date.
  • Users cannot casually disable or bypass filtering.
  • Malicious destination attempts feed monitoring or incident response.
  • Reviews consider security and business impact.

Weak evidence

  • Tool exists but scope is unclear.
  • Vendor defaults are used without review.
  • Exceptions are permanent and ownerless.
  • Remote users bypass filtering.
  • Alerts are not reviewed.

Sample interview questions

  • Which website categories are blocked and why?
  • Which users and devices are covered?
  • How are false positives and exceptions handled?
  • Can users bypass or disable filtering?
  • What happens if a device attempts to reach a known malicious site?

Common nonconformities

  • Policy is not mapped to filtering configuration.
  • Coverage gaps exist for remote users.
  • Exception process is weak.
  • Bypass is possible without alerting.
  • Malicious destination alerts are not escalated.
  • Audit
  • Evidence
  • A8 23
  • Iso27001

Note Metadata

Aliases: A.8.23 Evidence

Source: 04 Audit Evidence Packs/A.8.23 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.