What the auditor wants to verify
Audit objective
Verify that access to information, assets, application functions, databases, reports, exports, and dynamic support sessions is restricted according to the access control policy and business need.
Evidence to request
| Evidence | Purpose |
|---|---|
| Access control policy | Shows the governing rules |
| Information/application access rule matrix | Shows owner-approved role permissions |
| Application role configuration | Shows technical enforcement |
| Database permission review | Shows shared data paths are controlled |
| Classification and handling matrix | Shows restriction matches sensitivity |
| Export/print/download settings | Shows extracted information remains controlled |
| Maintenance utility access list | Shows sensitive functions are restricted |
| Dynamic privilege/session records | Shows temporary access is authorized and logged |
| Access review records | Shows excessive access is found and removed |
Strong evidence
- Access rules are approved by the information or application owner.
- Role permissions are mapped to create/read/modify/delete/export/admin rights.
- Application and database permissions are consistent.
- Restricted functions are hidden or unavailable to unauthorized users.
- Export, print, and download controls match classification rules.
- Dynamic privilege sessions have authorization, start/end time, logs, and review.
Weak evidence
- Policy exists but role permissions are undocumented.
- Default application roles are used without review.
- Database permissions are broader than application roles.
- Users can see restricted reports or functions.
- Extracted information is not controlled after download or print.
- Temporary support access has no approval, logging, or end time.
Sample interview questions
- Who owns the access rules for this application or information set?
- How do you decide who can read, modify, delete, export, or approve information?
- Can another application or reporting tool access the same database?
- What happens when users export or print sensitive information?
- How are support sessions authorized and logged?
- How do you confirm temporary access ended?
Common nonconformities
- Access rules are not owner-approved.
- Roles provide broader access than business need.
- Shared databases bypass application controls.
- Maintenance utilities are not restricted.
- Sensitive exports are uncontrolled.
- Dynamic privilege is not authorized, logged, or reviewed.
Related notes
- Audit
- Evidence
- A8 3
- Iso27001
Note Metadata
Aliases: A.8.3 Evidence
Source: 04 Audit Evidence Packs/A.8.3 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.3 - Information Access Restriction
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.3 Information Access Restriction
- A.8.3 Audit Checklist
- Dynamic Privilege Session Record
- Information Access Restriction Review Checklist
- Information Access Rule Matrix
- Sensitive Function and Export Control Checklist
- Audit Evidence Index