What the auditor wants to verify
Audit objective
Verify that access to external websites is managed to reduce exposure to malicious content.
Evidence to request
| Evidence | Purpose |
|---|---|
| Web filtering policy | Shows intended rules |
| Category/rule configuration | Shows enforcement |
| Coverage report | Shows in-scope users/devices are protected |
| Exception register | Shows exceptions are authorized |
| Alert logs | Shows high-risk attempts are detected |
| Review records | Shows filtering remains effective |
| Awareness evidence | Shows users understand rules |
Strong evidence
- Categories are mapped to policy and risk.
- Filtering covers remote users and relevant devices.
- Exceptions have approval, owner, and review date.
- Users cannot casually disable or bypass filtering.
- Malicious destination attempts feed monitoring or incident response.
- Reviews consider security and business impact.
Weak evidence
- Tool exists but scope is unclear.
- Vendor defaults are used without review.
- Exceptions are permanent and ownerless.
- Remote users bypass filtering.
- Alerts are not reviewed.
Sample interview questions
- Which website categories are blocked and why?
- Which users and devices are covered?
- How are false positives and exceptions handled?
- Can users bypass or disable filtering?
- What happens if a device attempts to reach a known malicious site?
Common nonconformities
- Policy is not mapped to filtering configuration.
- Coverage gaps exist for remote users.
- Exception process is weak.
- Bypass is possible without alerting.
- Malicious destination alerts are not escalated.
Related notes
- Audit
- Evidence
- A8 23
- Iso27001
Note Metadata
Aliases: A.8.23 Evidence
Source: 04 Audit Evidence Packs/A.8.23 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.