UnixTime

Research Note

A.8.26 Audit Evidence Pack

- Requirements are specific and testable. - Requirements trace to risk, classification, and legal obligations. - Security and business owners approve requirements. - Testing pro...

On this page

What the auditor wants to verify

Audit objective

Verify that application security requirements are identified, specified, approved, and verified when applications are developed or acquired.

Evidence to request

Evidence Purpose
Application security requirements register Shows requirements are specified
Risk assessment or threat model Shows requirements are justified
Approval records Shows owner/security approval
Test/acceptance evidence Shows requirements were verified
Transaction security checklist Shows high-risk transaction controls
Exception/risk acceptance records Shows gaps are managed

Strong evidence

  • Requirements are specific and testable.
  • Requirements trace to risk, classification, and legal obligations.
  • Security and business owners approve requirements.
  • Testing proves requirements are met before release or acceptance.
  • Transaction services include verification, secure protocols, and monitoring.

Weak evidence

  • Requirements say only “must be secure”.
  • Vendor security is assumed without mapping.
  • Security requirements are added after go-live.
  • No test evidence exists.
  • Transaction controls are undocumented.

Sample interview questions

  • How are application security requirements identified?
  • Who approves them?
  • How are acquired applications assessed?
  • How are transaction protections determined?
  • How are requirements tested before release?
  • How are exceptions risk-accepted?

Common nonconformities

  • Requirements are not documented or approved.
  • Requirements are not testable.
  • Public transaction risks are not assessed.
  • Cryptographic or legal requirements are missed.
  • Acceptance testing omits security requirements.
  • Audit
  • Evidence
  • A8 26
  • Iso27001

Note Metadata

Aliases: A.8.26 Evidence

Source: 04 Audit Evidence Packs/A.8.26 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.