UnixTime

Research Note

A.8.9 Audit Evidence Pack

- Baselines exist for major technology types. - Systems are mapped to applicable baselines. - Compliance is checked regularly or continuously. - Exceptions include risk rational...

On this page

What the auditor wants to verify

Audit objective

Verify that secure configurations are established, documented, implemented, monitored, reviewed, and exceptions are risk-managed.

Evidence to request

Evidence Purpose
Configuration baseline register Shows approved secure configurations exist
System-to-baseline mapping Shows scope is known
Configuration compliance reports Shows implementation and monitoring
Exception/deviation register Shows baseline deviations are controlled
Risk assessments for deviations Shows exceptions are justified
Compensating control evidence Shows deviation risk is treated
Drift alert records Shows unauthorized change is detected
Change records Shows configuration changes are controlled
Baseline review records Shows standards remain current

Strong evidence

  • Baselines exist for major technology types.
  • Systems are mapped to applicable baselines.
  • Compliance is checked regularly or continuously.
  • Exceptions include risk rationale and compensating controls.
  • Drift alerts are triaged and closed.
  • Baselines are reviewed and updated.

Weak evidence

  • Baseline exists but only as vendor guidance, not local standard.
  • Exceptions are undocumented.
  • Compliance reports are not reviewed.
  • Alerts are ignored due to volume.
  • Configuration changes do not link to change control.

Sample interview questions

  • Which configuration baselines apply to this system?
  • How do you know the system still matches the baseline?
  • What exceptions exist and why?
  • What happens when configuration drift is detected?
  • How often are baselines reviewed?

Common nonconformities

  • No approved configuration baseline.
  • No system-to-baseline mapping.
  • No evidence of monitoring or review.
  • Exceptions not risk-assessed.
  • Drift alerts not resolved.
  • Baselines stale or not tailored.
  • Audit
  • Evidence
  • A8 9
  • Iso27001

Note Metadata

Aliases: A.8.9 Evidence

Source: 04 Audit Evidence Packs/A.8.9 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.