UnixTime

Research Note

A.8.5 Audit Evidence Pack

- MFA is implemented for remote, privileged, and high-risk access where required. - MFA uses different factor types. - Failed logon handling includes lockout, delay, throttling,...

On this page

What the auditor wants to verify

Audit objective

Verify that authentication mechanisms and procedures are risk-based, technically secure, and aligned with access restrictions and access control policy.

Evidence to request

Evidence Purpose
Authentication standard Shows authentication rules are defined
Authentication risk assessment Shows mechanism strength is justified
MFA configuration reports Shows strong authentication is implemented
Failed logon/lockout settings Shows guessing attempts are controlled
Error message review Shows logon does not leak sensitive detail
Authentication logs and alerts Shows monitoring exists
Exception and compensating control records Shows weak systems are risk-managed

Strong evidence

  • MFA is implemented for remote, privileged, and high-risk access where required.
  • MFA uses different factor types.
  • Failed logon handling includes lockout, delay, throttling, alerting, or equivalent controls.
  • Logon errors do not reveal account existence or technical detail.
  • Legacy limitations are documented with compensating controls.

Weak evidence

  • MFA is claimed but uses repeated passwords/PINs.
  • Logon errors reveal whether accounts exist.
  • No failed-attempt controls exist.
  • Weak recovery flow bypasses normal authentication.
  • Exceptions are undocumented.

Sample interview questions

  • How was the authentication method selected?
  • Which systems require MFA and why?
  • What happens after repeated failed logons?
  • Do error messages reveal account or system details?
  • How are authentication exceptions approved and monitored?

Common nonconformities

  • Authentication strength not linked to risk.
  • True MFA not implemented where required.
  • Verbose authentication failures.
  • No lockout/throttling/delay.
  • Compensating controls missing for legacy systems.
  • Audit
  • Evidence
  • A8 5
  • Iso27001

Note Metadata

Aliases: A.8.5 Evidence

Source: 04 Audit Evidence Packs/A.8.5 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.