UnixTime

Research Note

A.8.32 Audit Evidence Pack

- Security impact is assessed before approval. - Testing and rollback are proportionate to risk. - Implementation logs match approved changes. - Release records identify include...

On this page

What the auditor wants to verify

Audit objective

Verify that changes to information processing facilities and information systems are assessed, approved, tested, implemented, recorded, and recoverable.

Evidence to request

Evidence Purpose
Change management procedure Shows process and responsibility
Sample change requests Shows actual use
Security impact assessments Shows security was considered
Approval records Shows authorization
Test evidence Shows verification before release
Rollback/failback plans Shows recovery planning
Implementation logs Shows what changed and when
Release records Shows grouped changes are traceable
Emergency change records Shows urgent changes are still controlled

Strong evidence

  • Security impact is assessed before approval.
  • Testing and rollback are proportionate to risk.
  • Implementation logs match approved changes.
  • Release records identify included changes.
  • Emergency changes have retrospective review.
  • Documentation/configuration records are updated.

Weak evidence

  • Approval without impact assessment.
  • Testing described but not evidenced.
  • Rollback plan is generic or unrealistic.
  • Emergency change process is informal.
  • Release records hide individual changes.

Sample interview questions

  • What changes are in scope for change management?
  • How is security impact assessed?
  • Who approves production changes?
  • What testing is required before implementation?
  • What happens if a change fails?
  • How are emergency changes reviewed after implementation?

Common nonconformities

  • Changes proceed without security impact assessment.
  • Testing or rollback evidence is missing.
  • Emergency changes are not reviewed.
  • Change records are incomplete.
  • Release bundles do not identify individual changes.
  • Audit
  • Evidence
  • A8 32
  • Iso27001

Note Metadata

Aliases: A.8.32 Evidence

Source: 04 Audit Evidence Packs/A.8.32 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.