What the auditor wants to verify
Audit objective
Verify that security testing processes are defined and implemented throughout development and acceptance.
Evidence to request
| Evidence | Purpose |
|---|---|
| Security test plan | Shows testing is planned |
| Security acceptance criteria | Shows go-live requirements |
| Test results | Shows tests were executed |
| Finding/remediation tracker | Shows issues are handled |
| Retest evidence | Shows fixes were verified |
| Acceptance sign-off | Shows authorized acceptance |
| Training/operations readiness records | Shows secure operation was considered |
Strong evidence
- Test depth and frequency trace to risk.
- Testing occurs during development and before acceptance.
- Acceptance criteria are documented.
- Defective input, regression, access control, and security controls are tested.
- Findings are remediated, retested, or risk-accepted.
- Operations and users are involved where needed.
Weak evidence
- Security testing is only final-stage.
- Functional tests are treated as security tests.
- No acceptance criteria exist.
- Findings are accepted informally.
- Retesting is missing.
- User bypass or secure operation is not considered.
Sample interview questions
- What security testing is required before go-live?
- How is testing frequency determined?
- What are the security acceptance criteria?
- How are findings tracked and retested?
- Who authorizes final acceptance?
- Are users or operations involved in testing secure use?
Common nonconformities
- No defined security testing process.
- Security acceptance criteria are missing.
- Testing is not risk-based.
- Findings are not retested.
- Final acceptance is not authorized or recorded.
Related notes
- Audit
- Evidence
- A8 29
- Iso27001
Note Metadata
Aliases: A.8.29 Evidence
Source: 04 Audit Evidence Packs/A.8.29 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.29 Security Testing in Development and Acceptance
- A.8.29 Audit Checklist
- Security Acceptance Criteria Checklist
- Security Acceptance Sign-Off Record
- Security Test Plan
- Security Test Results and Remediation Tracker
- Audit Evidence Index