UnixTime

Research Note

A.8.7 Audit Evidence Pack

- Malware protection coverage is inventoried. - Updates are monitored and exceptions are investigated. - Real-time scanning is enabled where feasible. - Sensitive/shared systems...

On this page

What the auditor wants to verify

Audit objective

Verify that malware protection is deployed, current, monitored, supported by user awareness, and backed by a recorded response process.

Evidence to request

Evidence Purpose
Malware protection policy/standard Shows rules are defined
EDR/anti-malware coverage report Shows protected and unprotected systems
Update/signature/engine status report Shows protection is current
Real-time and scheduled scan settings Shows scanning is configured
Email/web/file/removable media controls Shows common infection paths are controlled
Malware alerts and quarantine logs Shows detection is operating
Malware infection response records Shows incidents are recorded and handled
Rebuild/cleaning verification records Shows recovery was validated
Awareness training records Shows users were trained

Strong evidence

  • Malware protection coverage is inventoried.
  • Updates are monitored and exceptions are investigated.
  • Real-time scanning is enabled where feasible.
  • Sensitive/shared systems have layered scanning or documented risk rationale.
  • Infections are recorded and closed with verification.
  • Users can explain suspicious links, fake prompts, risky downloads, and reporting steps.

Weak evidence

  • Tool is installed but update status is unknown.
  • Servers, mobile devices, or cloud workloads are excluded without risk assessment.
  • Alerts exist but no one reviews them.
  • Automatic cleaning is accepted without verification.
  • Training records do not cover malware behavior.
  • Users install unapproved “security” tools.

Sample interview questions

  • What malware protection tool is approved?
  • How do you know it is installed and current?
  • What should users do if they see a suspicious link, attachment, or fake update prompt?
  • What happens after malware is detected?
  • How do you verify that a cleaned system is safe?
  • Are mobile devices or servers handled differently?

Common nonconformities

  • Malware protection not deployed to all in-scope systems.
  • Update failures not monitored.
  • No infection response records.
  • No awareness evidence.
  • No verification after cleaning.
  • Unapproved/free tools used without suitability review.
  • Audit
  • Evidence
  • A8 7
  • Iso27001

Note Metadata

Aliases: A.8.7 Evidence

Source: 04 Audit Evidence Packs/A.8.7 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.