What the auditor wants to verify
Audit objective
Verify that secure configurations are established, documented, implemented, monitored, reviewed, and exceptions are risk-managed.
Evidence to request
| Evidence | Purpose |
|---|---|
| Configuration baseline register | Shows approved secure configurations exist |
| System-to-baseline mapping | Shows scope is known |
| Configuration compliance reports | Shows implementation and monitoring |
| Exception/deviation register | Shows baseline deviations are controlled |
| Risk assessments for deviations | Shows exceptions are justified |
| Compensating control evidence | Shows deviation risk is treated |
| Drift alert records | Shows unauthorized change is detected |
| Change records | Shows configuration changes are controlled |
| Baseline review records | Shows standards remain current |
Strong evidence
- Baselines exist for major technology types.
- Systems are mapped to applicable baselines.
- Compliance is checked regularly or continuously.
- Exceptions include risk rationale and compensating controls.
- Drift alerts are triaged and closed.
- Baselines are reviewed and updated.
Weak evidence
- Baseline exists but only as vendor guidance, not local standard.
- Exceptions are undocumented.
- Compliance reports are not reviewed.
- Alerts are ignored due to volume.
- Configuration changes do not link to change control.
Sample interview questions
- Which configuration baselines apply to this system?
- How do you know the system still matches the baseline?
- What exceptions exist and why?
- What happens when configuration drift is detected?
- How often are baselines reviewed?
Common nonconformities
- No approved configuration baseline.
- No system-to-baseline mapping.
- No evidence of monitoring or review.
- Exceptions not risk-assessed.
- Drift alerts not resolved.
- Baselines stale or not tailored.
Related notes
- Audit
- Evidence
- A8 9
- Iso27001
Note Metadata
Aliases: A.8.9 Evidence
Source: 04 Audit Evidence Packs/A.8.9 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.9 Configuration Management
- A.8.9 Audit Checklist
- Configuration Baseline Register
- Configuration Compliance Review Checklist
- Configuration Drift Alert Review Record
- Configuration Exception and Risk Acceptance Record
- Audit Evidence Index