UnixTime

Research Note

A.8.27 Audit Evidence Pack

- Principles are specific and usable. - Architecture reviews reference principles. - Threat models identify and treat design risks. - Deviations are risk-assessed and approved....

On this page

What the auditor wants to verify

Audit objective

Verify that secure system architecture and engineering principles are documented, maintained, and applied to system development activities.

Evidence to request

Evidence Purpose
Secure architecture principles standard Shows principles are documented
Architecture review records Shows principles are applied
Threat model/design review records Shows design risks are considered
Deviation records Shows exceptions are approved
Contractor/supplier requirements Shows external parties are covered
Standards review records Shows principles are maintained
Competence/training records Shows roles understand security engineering

Strong evidence

  • Principles are specific and usable.
  • Architecture reviews reference principles.
  • Threat models identify and treat design risks.
  • Deviations are risk-assessed and approved.
  • Contractors and suppliers follow relevant principles.
  • Principles are updated when technology or threats change.

Weak evidence

  • Principles are generic slogans.
  • Design decisions do not reference security principles.
  • Security architecture role is unclear.
  • Contractors use unmanaged design practices.
  • Principles are never reviewed.

Sample interview questions

  • What secure engineering principles are used?
  • Where did the principles come from?
  • How are they kept current?
  • How are they applied in architecture reviews?
  • Who approves deviations?
  • How are contractors made aware of the principles?

Common nonconformities

  • Principles are not documented.
  • Principles are not applied in design work.
  • No architecture review evidence exists.
  • Deviations are informal.
  • External parties are not covered.
  • Audit
  • Evidence
  • A8 27
  • Iso27001

Note Metadata

Aliases: A.8.27 Evidence

Source: 04 Audit Evidence Packs/A.8.27 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.