Initial commit

05-guidance/evidence-and-audit-readiness-guidance.md

@@ -0,0 +1,61 @@
+# Evidence And Audit Readiness Guidance
+
+## Purpose
+
+This guidance note explains how to think about evidence quality for ISMS operation, internal audit, customer assurance, and management review.
+
+## Evidence Principles
+
+Good evidence should be:
+
+- factual
+- dated
+- attributable to a person, team, or system
+- traceable to a requirement or activity
+- easy to retrieve during review
+
+## Typical Evidence Types
+
+Useful evidence may include:
+
+- approved documents and revision history
+- completed register entries
+- access review outputs
+- change and deployment records
+- incident records and lessons learned
+- supplier review records
+- training completion records
+- audit reports and corrective actions
+
+## What Makes Evidence Weak
+
+Evidence is weak when it:
+
+- is undated
+- cannot be linked to a control or process
+- exists only as informal verbal confirmation
+- contradicts the documented process
+- shows intent but not execution
+
+## Practical Readiness Checks
+
+For important controls, BlackDice should be able to answer:
+
+- what is the requirement
+- who owns it
+- what records show it operates
+- how often it is reviewed
+- what happens when it fails or is overdue
+
+## Working Approach
+
+Where possible, use the operational system of record rather than duplicating evidence manually. If the record sits outside this repository, the related ISMS document should make that clear.
+
+For recurring controls, consistent evidence matters more than polished presentation. A complete and repeatable record is usually more useful than a manually curated summary.
+
+## Related Documents
+
+- `../../00-governance/document-and-records-control-standard.md`
+- `../../03-procedures/internal-audit-procedure.md`
+- `../../03-procedures/management-review-procedure.md`
+- `../../04-registers/internal-audit-plan-template.md`