Evidence And Audit Readiness Guidance

Purpose

This guidance note explains how to think about evidence quality for ISMS operation, internal audit, customer assurance, and management review.

Evidence Principles

Good evidence should be:

factual
dated
attributable to a person, team, or system
traceable to a requirement or activity
easy to retrieve during review

Typical Evidence Types

Useful evidence may include:

approved documents and revision history
completed register entries
access review outputs
change and deployment records
incident records and lessons learned
supplier review records
training completion records
audit reports and corrective actions

What Makes Evidence Weak

Evidence is weak when it:

is undated
cannot be linked to a control or process
exists only as informal verbal confirmation
contradicts the documented process
shows intent but not execution

Practical Readiness Checks

For important controls, BlackDice should be able to answer:

what is the requirement
who owns it
what records show it operates
how often it is reviewed
what happens when it fails or is overdue

Working Approach

Where possible, use the operational system of record rather than duplicating evidence manually. If the record sits outside this repository, the related ISMS document should make that clear.

For recurring controls, consistent evidence matters more than polished presentation. A complete and repeatable record is usually more useful than a manually curated summary.

../../00-governance/document-and-records-control-standard.md
../../03-procedures/internal-audit-procedure.md
../../03-procedures/management-review-procedure.md
../../04-registers/internal-audit-plan-template.md

1.8 KiB Raw Blame History