What the auditor wants to verify
Audit objective
Verify that secure system architecture and engineering principles are documented, maintained, and applied to system development activities.
Evidence to request
| Evidence | Purpose |
|---|---|
| Secure architecture principles standard | Shows principles are documented |
| Architecture review records | Shows principles are applied |
| Threat model/design review records | Shows design risks are considered |
| Deviation records | Shows exceptions are approved |
| Contractor/supplier requirements | Shows external parties are covered |
| Standards review records | Shows principles are maintained |
| Competence/training records | Shows roles understand security engineering |
Strong evidence
- Principles are specific and usable.
- Architecture reviews reference principles.
- Threat models identify and treat design risks.
- Deviations are risk-assessed and approved.
- Contractors and suppliers follow relevant principles.
- Principles are updated when technology or threats change.
Weak evidence
- Principles are generic slogans.
- Design decisions do not reference security principles.
- Security architecture role is unclear.
- Contractors use unmanaged design practices.
- Principles are never reviewed.
Sample interview questions
- What secure engineering principles are used?
- Where did the principles come from?
- How are they kept current?
- How are they applied in architecture reviews?
- Who approves deviations?
- How are contractors made aware of the principles?
Common nonconformities
- Principles are not documented.
- Principles are not applied in design work.
- No architecture review evidence exists.
- Deviations are informal.
- External parties are not covered.
Related notes
- Audit
- Evidence
- A8 27
- Iso27001
Note Metadata
Aliases: A.8.27 Evidence
Source: 04 Audit Evidence Packs/A.8.27 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.27 Secure System Architecture and Engineering Principles
- A.8.27 Audit Checklist
- Secure Architecture Principles Standard
- Security Architecture Review Record
- Security Engineering Deviation Record
- Audit Evidence Index