UnixTime

Research Note

A.8.29 Audit Evidence Pack

- Test depth and frequency trace to risk. - Testing occurs during development and before acceptance. - Acceptance criteria are documented. - Defective input, regression, access...

On this page

What the auditor wants to verify

Audit objective

Verify that security testing processes are defined and implemented throughout development and acceptance.

Evidence to request

Evidence Purpose
Security test plan Shows testing is planned
Security acceptance criteria Shows go-live requirements
Test results Shows tests were executed
Finding/remediation tracker Shows issues are handled
Retest evidence Shows fixes were verified
Acceptance sign-off Shows authorized acceptance
Training/operations readiness records Shows secure operation was considered

Strong evidence

  • Test depth and frequency trace to risk.
  • Testing occurs during development and before acceptance.
  • Acceptance criteria are documented.
  • Defective input, regression, access control, and security controls are tested.
  • Findings are remediated, retested, or risk-accepted.
  • Operations and users are involved where needed.

Weak evidence

  • Security testing is only final-stage.
  • Functional tests are treated as security tests.
  • No acceptance criteria exist.
  • Findings are accepted informally.
  • Retesting is missing.
  • User bypass or secure operation is not considered.

Sample interview questions

  • What security testing is required before go-live?
  • How is testing frequency determined?
  • What are the security acceptance criteria?
  • How are findings tracked and retested?
  • Who authorizes final acceptance?
  • Are users or operations involved in testing secure use?

Common nonconformities

  • No defined security testing process.
  • Security acceptance criteria are missing.
  • Testing is not risk-based.
  • Findings are not retested.
  • Final acceptance is not authorized or recorded.