A.5.1 Audit Evidence Pack
The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.
ISO27002 domain with 118 resources grouped for implementation and audit work.
Domain guide
Templates, evidence packs, and proof patterns that support ISO 27002-aligned control implementation.
Guide + resources
Audit evidence packs, registers, proof records, and evidence examples.
The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.
The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users...
The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or rol...
The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availabi...
The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.
The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across...
The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.
The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, d...
The auditor wants to confirm that secret authentication information is issued, managed, changed, reset, stored, and handled through a controlled process, and that users understa...
The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.
The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.
The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to...
The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information s...
The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting pro...
The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.
The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization's information security requirements.
The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, an...
The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and tim...
The auditor wants to confirm that confirmed information security incidents are responded to according to documented procedures and that response decisions, actions, responsibili...
The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.
The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information securi...
The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requ...
The auditor wants to confirm that conflicting duties and responsibilities have been identified and segregated, or that compensating controls exist where segregation is not pract...
The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.
The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and...
The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within a...
The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention,...
The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and...
The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findin...
The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with finding...
The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used...
The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.
The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact...
The auditor wants to confirm that the organization maintains proportionate contact with relevant specialist security groups, forums, or professional associations and that useful...
The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement,...
The auditor wants to confirm that information security is integrated into the project management method and applied in real projects from initiation through transition to operat...
The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, a...
The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.
The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in sc...
The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.
The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.
The auditor wants proof that old access and assets are removed, relevant parties are notified, and continuing duties are communicated after termination or role change.
The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.
The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.
The auditor wants proof that reporting channels are known, usable, timely, and connected to event assessment and incident management.
The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.
- Media handling follows classification. - Media is inventoried and labelled where appropriate. - Dispatches are authorized and recorded. - Sensitive media is protected during t...
- Critical facilities have documented utility dependencies. - UPS/generator tests include load, runtime, cooling, and maintenance evidence. - Alarms detect utility failures and...
- Cable routes are documented and protected. - Power/data segregation is implemented where needed. - Patch panels, cabinets, and connections are locked or access-controlled. - L...
- Maintenance is scheduled and recorded. - Faults and repairs are tracked. - Maintainers are authorized and qualified. - External maintainers are escorted where required. - Conf...
- Records identify asset, storage media, classification, method, verifier, and date. - Sanitization method matches media type and sensitivity. - Contractor records are asset-spe...
The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.
- Controls are based on value, liability, importance, and classification. - Sensitive room purpose is not unnecessarily exposed. - Internal directories and access clues are prot...
- Monitoring scope is documented and risk-based. - Alerts have owners, response times, and escalation paths. - Monitoring tests are performed and recorded. - Monitoring staff kn...
- Hazard assessment includes site, room, utility, and neighbor risks. - Specialist advice exists for material hazards. - Controls are implemented and maintained. - Continuity ar...
- Secure-area work is identified and risk-assessed. - Need-to-know, device, media, supervision, and dual-control rules are documented. - Employees, contractors, and third partie...
- Rules cover papers, removable media, screens, printers, faxes, storage, and confidential waste. - Auto-lock settings are enforced. - Sensitive print/fax workflows are controll...
- Equipment inventory includes location, owner, and protection requirement. - Siting assessment covers physical, environmental, viewing, access, and interference risks. - Networ...
- Asset removal is authorized and logged. - Off-site assets are recorded with custodian, location, and review date. - Mobile devices are encrypted and managed. - Long-term loans...
Reusable implementation, audit, and operational templates.
Use this during internal audits to verify that acceptable use and handling rules are defined, acknowledged, implemented, and enforced.
Use this during internal audits to verify that assets are returned during termination, contract end, agreement end, or role change.
Use this during internal audits to verify that information classification is defined, implemented, understood, and maintained.
Use this during internal audits to verify that information labelling procedures are defined and implemented in line with the classification scheme.
Use this during internal audits to verify that information transfer rules, procedures, and agreements are defined and implemented across actual transfer channels.
Use this during internal audits to verify that physical and logical access controls are defined, implemented, approved, and reviewed.
Use this during internal audits to verify that identities are managed across the full lifecycle.
Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.
Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.
Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.
Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.
Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.
Use this during internal audits to verify that supplier services and security practices are monitored, reviewed, evaluated, and changed through a controlled process.
Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.
Use this during internal audits to verify that incident management planning and preparation are defined, communicated, and ready to operate.
Use this during internal audits to test whether A.5.25 Assessment and Decision on Information Security Events is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.26 Response to Information Security Incidents is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.27 Learning from Information Security Incidents is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.28 Collection of Evidence is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.29 Information Security During Disruption is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.30 ICT Readiness for Business Continuity is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.32 Intellectual Property Rights is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.35 Independent Review of Information Security is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.36 Compliance with Policies, Rules and Standards for Information Security is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether A.5.37 Documented Operating Procedures is designed, implemented, operating, and evidenced.
Use this during internal audits to test whether relevant authority contacts are identified, maintained, authorized, and usable.
Use this during internal audits to verify that the organization maintains relevant external security knowledge contacts and uses received information appropriately.
Use this during internal audits to verify that threat information is collected, analyzed, contextualized, and used to support ISMS decisions.
Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.
Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.
- Confirm the organization has a documented screening procedure. - Confirm screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - C...
Use this checklist during an internal audit of employment, contractor, and third-party security responsibility terms.
Use this checklist during an internal audit of information security awareness, education, training, and update processes.
Use this checklist during an internal audit of disciplinary handling for information security policy violations.
Use this checklist during an internal audit of leaver, mover, contractor offboarding, and continuing responsibility controls.
Use this checklist during an internal audit of confidentiality and non-disclosure agreement controls.
- Confirm remote working policy and procedures exist. - Confirm authorized remote workers, locations, activities, data, and controls are recorded. - Check remote working risk as...
Use this checklist during an internal audit of information security event reporting.
- Confirm physical security perimeters are defined. - Confirm zones are linked to information/assets and risk. - Review perimeter diagrams or zone register. - Walk the perimeter...
Use this checklist during an internal audit of storage media acquisition, use, transport, storage, disposal, destruction, and damaged-media handling.
Use this checklist during an internal audit of power, cooling, telecommunications, water, emergency lighting, fire protection, and building-management utility resilience.
Use this checklist during an internal audit of power, data, telecommunications, and supporting service cabling.
Use this checklist during an internal audit of equipment maintenance and repair controls.
Use this checklist during an internal audit of equipment disposal, reuse, sale, donation, recycling, or repair dispatch.
- Confirm secure areas are identified. - Confirm entry controls match risk and sensitivity. - Review physical access authorization and logs. - Check physical access review recor...
Use this checklist during an internal audit of physical security design for offices, rooms, and facilities.
- Confirm premises monitoring scope is documented. - Confirm monitoring is continuous where required. - Review monitoring service or personnel responsibilities. - Check alarm re...
Use this checklist during an internal audit of physical and environmental threat protection.
Use this checklist during an internal audit of work performed inside secure areas.
Use this checklist during an internal audit of clear desk, clear screen, printer, fax, and unattended information controls.
Use this checklist during an internal audit of equipment siting, physical protection, environmental exposure, and remote equipment scope.
Use this checklist during an internal audit of assets taken, used, stored, or accessed outside organization premises.
Research note.
Research note.
Research note.
Research note.
Link to this domain with /research/iso27002/templates-evidence/ . Link directly to exact notes from any resource card above.