1.8 KiB
1.8 KiB
Evidence And Audit Readiness Guidance
Purpose
This guidance note explains how to think about evidence quality for ISMS operation, internal audit, customer assurance, and management review.
Evidence Principles
Good evidence should be:
- factual
- dated
- attributable to a person, team, or system
- traceable to a requirement or activity
- easy to retrieve during review
Typical Evidence Types
Useful evidence may include:
- approved documents and revision history
- completed register entries
- access review outputs
- change and deployment records
- incident records and lessons learned
- supplier review records
- training completion records
- audit reports and corrective actions
What Makes Evidence Weak
Evidence is weak when it:
- is undated
- cannot be linked to a control or process
- exists only as informal verbal confirmation
- contradicts the documented process
- shows intent but not execution
Practical Readiness Checks
For important controls, BlackDice should be able to answer:
- what is the requirement
- who owns it
- what records show it operates
- how often it is reviewed
- what happens when it fails or is overdue
Working Approach
Where possible, use the operational system of record rather than duplicating evidence manually. If the record sits outside this repository, the related ISMS document should make that clear.
For recurring controls, consistent evidence matters more than polished presentation. A complete and repeatable record is usually more useful than a manually curated summary.
Related Documents
../../00-governance/document-and-records-control-standard.md../../03-procedures/internal-audit-procedure.md../../03-procedures/management-review-procedure.md../../04-registers/internal-audit-plan-template.md