ISO 27001 Lab
Audit evidence practice

Learn how auditors think about evidence quality, sampling, and systemic weakness

This route teaches evidence-centered audit reasoning: what to ask for next, how to judge whether the evidence is strong enough, and how to decide whether a sample suggests an isolated miss or a broader system issue.
Policy or standard
Shows intended direction, accountabilities, and rules. It does not prove that the process is operating.
Strong signal: Current, approved, scoped to the actual operating model, and referenced by teams during walkthroughs.
Weak signal: Outdated copy, generic template language, or no evidence that teams know it exists.
Risk register
Shows how the organization identifies, evaluates, owns, and treats risk inside the ISMS.
Strong signal: Current entries with criteria, owners, treatment decisions, target dates, and links to controls or projects.
Weak signal: Static spreadsheet with scores only, no clear treatment logic, or no connection to real operating changes.
Statement of Applicability
Shows which Annex A controls apply, why they apply or not, and how implementation stands.
Strong signal: Rationales are specific, tied to treatment decisions, and supported by implementation evidence.
Weak signal: Blanket statements such as 'not relevant' or 'best practice' with no linkage to business context or risk.
Approval record
Shows that a decision, method, or artifact was formally reviewed and accepted by the right authority.
Strong signal: Named approver, approval date, version reference, and decision context are easy to trace.
Weak signal: Informal chat message, unclear approver, or no version linkage to the document being relied upon.
Meeting minutes
Show that governance discussions happened and that actions, decisions, and escalations were captured.
Strong signal: Specific agenda, attendees, decisions, action owners, deadlines, and references to supporting evidence.
Weak signal: High-level notes with no decisions, no owners, or no indication that required inputs were reviewed.
Training attendance
Shows who completed awareness or competence activities during the sampled period.
Strong signal: Attendance or completion data is complete, timely, and tied to role populations or target groups.
Weak signal: Only the slide deck exists, with no attendance, no completion tracking, or no effectiveness follow-up.
Ticket or workflow evidence
Shows execution in the day-to-day system of record, not only in policy text.
Strong signal: Tickets show approvers, timestamps, linked evidence, and closure aligned with the documented process.
Weak signal: Changes happen in chat or email with no durable workflow trail or inconsistent metadata.
Access review record
Shows who reviewed which entitlements, when, and what decisions were taken.
Strong signal: Review population, reviewer, exceptions, follow-up actions, and completion dates are clear.
Weak signal: Manager says the review happened, but there is no export, sign-off, or record of removals.
Asset inventory
Shows the systems, information assets, and supporting components the ISMS is really managing.
Strong signal: Covers in-scope services, owners, data types, environments, and links to key dependencies.
Weak signal: Critical systems are missing, ownership is unclear, or the inventory is disconnected from the real architecture.
Supplier review record
Shows that supplier security due diligence or periodic review actually happened.
Strong signal: Criticality, review criteria, evidence collected, risk decisions, and renewal dates are recorded.
Weak signal: The process is claimed in policy, but there is no completed review package for sampled suppliers.
Incident record
Shows whether security events are logged, assessed, escalated, and learned from as defined.
Strong signal: Ticket contains severity, timeline, owner, communications, containment, and lesson-learned output.
Weak signal: The team handled the event informally with no ticket, no severity, and no evidence of closure.
Restore test evidence
Shows that backups are not only running but can be restored within business expectations.
Strong signal: Recent test report shows scope, method, timings, result, issues found, and follow-up action.
Weak signal: Only backup job success exists, with no recent restore exercise for sampled critical systems.
Internal audit report
Shows whether the organization has independently checked its ISMS and followed through on findings.
Strong signal: Programme, plan, report, evidence, findings, and closure of corrective actions are easy to trace.
Weak signal: A schedule exists, but there is no report, no sampling record, and no closure trail for prior issues.
Management review minutes
Shows whether leadership reviewed required inputs and made decisions on the ISMS.
Strong signal: Inputs, trends, resource needs, actions, and improvements are explicitly captured with owners.
Weak signal: A leadership meeting happened, but minutes do not show the required ISMS topics or resulting decisions.

Auditor thinking

Ask for the next evidence, judge quality, and test whether the issue is systemic

ISO 27001 audits are not checklist theatre. The skill is knowing what to request next, how strong the evidence really is, and when a sampled weakness points to a broader system problem.

Score
In progress
Drill 1Clause 4.3
Audit the scope boundary
Auditer la frontière de périmètre
A managed services provider says only its French operations are in scope, but shared tooling and an overseas NOC support the same customer service.
Available evidence
policy-standardWeak
Broad scope statement with no interface detail
Déclaration de périmètre large sans détail d'interface
The boundary is named, but not made operational.
asset-inventoryPartial
Inventory includes shared systems outside the written boundary
L'inventaire inclut des systèmes partagés hors de la frontière écrite
The operating estate looks wider than the statement.
What evidence would you ask for next?
Is the current evidence sufficient, weak, partial, or absent?
What does the sample suggest: systemic, isolated, or more sampling needed?
What follow-up question would an auditor ask?
Drill 2Clause 9.3
Challenge management review evidence
Challenger la preuve de revue de direction
Leadership says the quarterly steering committee is also the ISMS management review.
Available evidence
management-review-minutesPartial
Minutes cover budget and projects but not clear ISMS inputs
Le compte rendu couvre budget et projets, mais pas des intrants SMSI clairement identifiables
A leadership forum exists, but the required review content is incomplete.
internal-audit-reportPartial
Internal audit report exists separately
Un rapport d'audit interne existe séparément
It is not visibly used in the leadership record.
What evidence would you ask for next?
Is the current evidence sufficient, weak, partial, or absent?
What does the sample suggest: systemic, isolated, or more sampling needed?
What follow-up question would an auditor ask?
Drill 3Clause 8.1
Separate backup activity from recoverability evidence
Distinguer l'activité de sauvegarde de la preuve de restaurabilité
Backup dashboards are green for all sampled days, but no restore report is available for critical systems.
Available evidence
system-logSufficient
Automated backup success logs
Logs de réussite automatisée des sauvegardes
These prove jobs ran, not that recovery is effective.
restore-test-evidenceAbsent
No restore report for sampled critical services
Aucun rapport de restauration pour les services critiques échantillonnés
The effectiveness question remains open.
What evidence would you ask for next?
Is the current evidence sufficient, weak, partial, or absent?
What does the sample suggest: systemic, isolated, or more sampling needed?
What follow-up question would an auditor ask?
Drill 4Clause 8.1
Judge evidence quality for access review
Évaluer la qualité de preuve pour la revue d'accès
Core business systems have signed access reviews, but smaller support tools rely on verbal manager confirmations.
Available evidence
access-review-recordPartial
Formal review records for the largest systems
Traces de revue formelles pour les plus gros systèmes
The process works in part of the environment.
ticket-workflowWeak
No removal tickets for smaller tools
Aucun ticket de suppression pour les petits outils
Execution evidence is weak where governance is lighter.
What evidence would you ask for next?
Is the current evidence sufficient, weak, partial, or absent?
What does the sample suggest: systemic, isolated, or more sampling needed?
What follow-up question would an auditor ask?
Drill 5Clause 6.1.3Clause 6.1.4
Test SoA traceability
Tester la traçabilité de la SoA
The SoA exists, but the rationales are broad and do not map cleanly to the treatment register.
Available evidence
soaWeak
Generic rationales such as 'best practice'
Justifications génériques du type « bonne pratique »
The artifact exists, but the reasoning is shallow.
risk-registerPartial
Treatment actions exist but are not linked to control positions
Des actions de traitement existent mais sans lien avec les positions de contrôle
The bridge between risk and control choice is weak.
What evidence would you ask for next?
Is the current evidence sufficient, weak, partial, or absent?
What does the sample suggest: systemic, isolated, or more sampling needed?
What follow-up question would an auditor ask?
Drill 6Clause 8.1Clause 6.1.3
Judge whether supplier review is operating
Évaluer si la revue fournisseur fonctionne réellement
The supplier review procedure exists, but no completed review package is available for sampled critical vendors.
Available evidence
policy-standardSufficient
Supplier review procedure
Procédure de revue fournisseur
The organization has defined what it says should happen.
supplier-review-recordAbsent
No review records for sampled critical suppliers
Aucune trace de revue pour les fournisseurs critiques échantillonnés
Execution evidence is missing where the risk is highest.
What evidence would you ask for next?
Is the current evidence sufficient, weak, partial, or absent?
What does the sample suggest: systemic, isolated, or more sampling needed?
What follow-up question would an auditor ask?